1. UserAssist Key
Understanding the UserAssist Key:
The UserAssist key, located within the NTUSER.DAT hive of the Windows registry, contains valuable information about GUI program executions initiated by users.
This key stores details such as the last run time, run count, name of the GUI application, focus time, and focus count for each program launched in Windows Explorer.
Analyzing UserAssist Data:
Forensic analysts can leverage the UserAssist key to uncover important details about program executions, including
Last Run Time (UTC): The timestamp indicating when a program was last executed by the user.
Run Count: The number of times a program has been executed on the system.
Name of GUI Application: The name or identifier of the GUI application launched by the user.
Focus Time and Focus Count: Metrics indicating the total time an application has been in focus and the number of times it was re-focused in Windows Explorer.
Understanding GUIDs and Execution Modes:
Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions and shortcut file executions. For example:
GUIDs for Windows XP:
GUIDs such as 5e6ab780 represent Internet Toolbar,
75048700_ signifies Active Desktop.
GUIDs for Windows 7 and higher:
GUIDs like CEBFF6CD denote executable file execution,
F4E57C4B indicates shortcut file execution.
Understanding GUIDs and Execution Modes:
Each application launch generates unique GUIDs within the UserAssist key, distinguishing between executable file executions (CEBFF6CD) and shortcut file executions (F4E57C4B). By analyzing these GUIDs, forensic analysts can discern how users interact with applications, whether through direct executions or shortcut activations.
2. Shimcache (Application compability cache)/ Amcache Hive
Shimcache Purpose
• Checks to see if application needs to be "shimmed" (properties applied) to run application on current OS or via older OS parameters
• AppCompatCache will track the executable file's last modification date, file path, and if it was executed
• Advanced: Applications will be shimmed again (w/ additional entry) if the file content is updated or renamed. Good for proving application was moved, renamed, and even time stomped (If current File's Mod-time * ShimCache Mod-time)
Amcache Purpose:
•Application Experience Service
•New AppCompat structure and full of additional information
To understand in deep Kindly go through my previous blog link below...
Blog Headline :
Forensic Collection of Execution Evidence through AppCompatCache(Shimcache)/Amcache.hiv
Blog Link:
Blog Headline:
Shimcache/Amcache Analysis: Tool-->AppCompactCacheParser.exe/AmcacheParser.exe
Blog Link:
Blog Headline:
Amcache.hiv Analysis: Tool--> Registry explorer
Blog Link:
3. BAM/DAM
Record information about executed programs, including the path of the executable and the date/time of the last execution.
The DAM is specifically found on systems with connected standby, a feature that allows Windows to remain powered on while the screen is turned off, similar to the standby mode on smartphones. The DAM helps manage desktop application access to extend battery life while ensuring that system processes can still function effectively.
On the other hand, the BAM is associated with a kernel mode driver service that was introduced in Windows 10 version 1709. While there is limited official information available about the BAM, forensic analysts have observed similarities between the information recorded in BAM and DAM keys.
Within these registry keys, you can find entries corresponding to various programs. Each entry will contain details such as the full path of the executable and the timestamp of the last execution.
System Hive: (BAM/DAM)
SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
SYSTEM\CurrentControlSet\Services\Dam\UserSettings\{SID}
Akash Patel
Comments