Notes on Evidence of Execution - davepo/AKA GitHub Wiki

Evidence of Execution

Notes on items to consider when investigating evidence of execution. This is not an all-encompassing list and is presented in no particular order.
For an more extensive and in-depth resource, please see Andrea Fortuna's blog post "Forensic Artifacts: evidences of program execution on Windows systems"

Amcache

  • Amcache.hve, a registry file located in '...Windows\Appcompat\Programs'
  • Provides execution path, first executed time, deleted time, and first installation.

ShimCache (AppCompatCache)

  • Located in the SYSTEM registry hive '...\SessionManager\AppCompatCache' key
  • A component of the Windows Application Compatibility Database (identifies application compatibility issues).
  • Provides the MFT's Standard Information section Last Modified timestamp

UserAssist

  • Located in the SOFTWARE registry hive
  • Tracks GUI based components

JumpLists

  • Located in each Users ...\AppData...' folder as 'automaticdestinations-ms' and 'customdestinations-ms' files.
  • Contains the users frequently or recently accessed items.

Prefetch

  • .pf files located in the '...\Windows/Prefetch' folder
  • Windows component to speed up application startup
  • Provides the name of the executable, DLLs used, a count of times run, and a timestamp for the last time run.

Recent Apps

  • A registry key located in the NTUSER.DAT hive
  • Lists recently run programs (by GUID) and some of the files they accessed.

Background Activity Monitor (BAM)

  • Located in the SYSTEM registry hive
  • Tracks background application paths, executables, and last time executed.

USN Journal

  • An NTFS metafile named $Extend$UsnJrnl that maintains a record of changes made to files on the volume.
  • Note: This is not currently extracted by AKA, but will be added in a future update.