Evidence of Execution

Notes on items to consider when investigating evidence of execution. This is not an all-encompassing list and is presented in no particular order.

For an more extensive and in-depth resource, please see Andrea Fortuna's blog post "Forensic Artifacts: evidences of program execution on Windows systems"

Amcache

• Amcache.hve, a registry file located in '...Windows\Appcompat\Programs'
• Provides execution path, first executed time, deleted time, and first installation.

ShimCache (AppCompatCache)

• Located in the SYSTEM registry hive '...\SessionManager\AppCompatCache' key
• A component of the Windows Application Compatibility Database (identifies application compatibility issues).
• Provides the MFT's Standard Information section Last Modified timestamp

UserAssist

• Located in the SOFTWARE registry hive
• Tracks GUI based components

JumpLists

• Located in each Users ...\AppData...' folder as 'automaticdestinations-ms' and 'customdestinations-ms' files.
• Contains the users frequently or recently accessed items.

Prefetch

• .pf files located in the '...\Windows/Prefetch' folder
• Windows component to speed up application startup
• Provides the name of the executable, DLLs used, a count of times run, and a timestamp for the last time run.

Recent Apps

• A registry key located in the NTUSER.DAT hive
• Lists recently run programs (by GUID) and some of the files they accessed.

Background Activity Monitor (BAM)

• Located in the SYSTEM registry hive
• Tracks background application paths, executables, and last time executed.

USN Journal

• An NTFS metafile named $Extend$UsnJrnl that maintains a record of changes made to files on the volume.
• Note: This is not currently extracted by AKA, but will be added in a future update.