Comprehensive Guide to Identifying Application Execution in Windows Forensics

When investigating digital forensics cases, confirming application execution is crucial. Whether analyzing malware execution, tracking user activity, or validating forensic evidence, understanding where and how to find execution artifacts is essential.

However, putting them all together in a structured way helps streamline investigations.

------------------------------------------------------------------------------------------------------------

Key Artifacts for Identifying Application Execution

Each artifact provides unique insights, and choosing the right one depends on the investigation’s requirements. Below is a list of the most important artifacts, along with links to detailed articles that explain their forensic significance.

1. ShimCache (AppCompatCache)

ShimCache is a valuable artifact for identifying application execution, especially when prefetching is disabled. However, it does not provide timestamps for execution, only last modification times.

• Understanding Microsoft’s Application Compatibility Cache (ShimCache) in Digital Forensics

• Understanding AppCompatCache tool for ShimCache Forensic Analysis

2. TaskBar Feature Usage

This artifact helps track executed applications based on user interactions with the Windows Taskbar.

• TaskBar FeatureUsage: Tracking executed Applications

3. Amcache.hve

Amcache.hve is one of the most reliable sources for identifying program execution, storing detailed information about executed applications, including timestamps.

• Understanding Amcache.hve: A Powerful Forensic Artifact

• Mastering AmcacheParser and appcompatprocessor.py for Amcache.hiv Analysis

4. Jump Lists

Jump Lists store data about recently opened applications and files, making them useful for tracking execution history.

• Windows Taskbar Jump Lists: A Forensic Goldmine

• Mastering JLECmd for Windows Jump List Forensics

5. Prefetch Files

Prefetch files record program execution details, including the exact timestamp of when an application was last run.

• Windows Prefetch Files: A Forensic Goldmine for Tracking Program Execution

• Prefetch Analysis with PECmd and WinPrefetchView

6. Program Compatibility Assistant (PCA)

This artifact logs execution history when an application triggers compatibility warnings.

• Evidence of Execution: Program Compatibility Assistant (PCA)

7. CapabilityAccessManager

This registry artifact logs application access to sensitive components like the microphone and camera, indirectly confirming execution.

• Tracking Microphone and Camera Usage in Windows (Program Execution: CompatibilityAccessManager)

8. SRUM (System Resource Usage Monitor)

SRUM records extensive details about executed applications, including their network usage and execution time.

• SRUM: Unveiling Insights for Digital Investigations

9. Last Visited MRU (Most Recently Used)

This registry artifact provides insights into recently accessed applications and files.

• Windows Registry Artifacts: Insights into User Activity (Last Visited MRU/ Open Save MRU)

10. Run Dialog (RunMRU)

Tracking commands executed in the Windows Run dialog provides additional evidence of application execution.

• Windows Registry Artifacts: Insights into User Activity (RunMRU)

11. RADAR and MUICache

RADAR and MUICache provides extensive details about executed applications

• Using RADAR and MUICache for Evidence of Execution in Windows

----------------------------------------------------------------------------------------------------------

Conclusion

Each of these artifacts plays a unique role in application execution analysis. While some provide direct evidence with timestamps, others offer indirect indicators. Depending on the investigation's requirements, a combination of these sources ensures a more comprehensive analysis.

------------------------------------------------------Dean-----------------------------------------