Notes on Evidence of Execution - davepo/AKA GitHub Wiki
Evidence of Execution
Notes on items to consider when investigating evidence of execution. This is not an all-encompassing list and is presented in no particular order.
Amcache
- Amcache.hve, a registry file located in '...Windows\Appcompat\Programs'
- Provides execution path, first executed time, deleted time, and first installation.
ShimCache (AppCompatCache)
- Located in the SYSTEM registry hive '...\SessionManager\AppCompatCache' key
- A component of the Windows Application Compatibility Database (identifies application compatibility issues).
- Provides the MFT's Standard Information section Last Modified timestamp
UserAssist
- Located in the SOFTWARE registry hive
- Tracks GUI based components
JumpLists
- Located in each Users ...\AppData...' folder as 'automaticdestinations-ms' and 'customdestinations-ms' files.
- Contains the users frequently or recently accessed items.
Prefetch
- .pf files located in the '...\Windows/Prefetch' folder
- Windows component to speed up application startup
- Provides the name of the executable, DLLs used, a count of times run, and a timestamp for the last time run.
Recent Apps
- A registry key located in the NTUSER.DAT hive
- Lists recently run programs (by GUID) and some of the files they accessed.
Background Activity Monitor (BAM)
- Located in the SYSTEM registry hive
- Tracks background application paths, executables, and last time executed.
USN Journal
- An NTFS metafile named $Extend$UsnJrnl that maintains a record of changes made to files on the volume.
- Note: This is not currently extracted by AKA, but will be added in a future update.