Description Windows Background Activity Moderator (BAM) Location Win10: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID} Investigative Notes Provides full path of the executable file that was run on the system and last execution date/time
Description • Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables. • Tracks the executables file name, file size, last modified time, and in Windows XP the last update time
Interpretation: Any executable run on the Windows system could be found in this key. You can use this key to identify systems that specific malware was executed on. In addition, based on the interpretation of the time-based data you might be able to determine the last time of execution or activity on the system. • Windows XP contains at most 96 entries - LastUpdateTime is updated when the files are executed • Windows 7 contains at most 1,024 entries - LastUpdateTime does not exist on Win7 systems
c.f) Windows 10 Timeline
Description Win10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database.
Interpretation Each GUID key points to a recent application. AppID = Name of Application LastAccessTime = Last execution time in UTC LaunchCount = Number of times executed
