Evidence of Execution - Windows
Windows Prefetch
The entire purpose of prefetch is to speed up the applications launch 'usually used'. Prefetch has background process that runs approximately for 10 seconds and it will monitor the application that the OS is interacting with, for GUI and CLI programs.
It's stored in the file system %system root% windows\prefetch
To get the first and the 8 time were executed:
Anti Forensics
You can delete the prefetch file using SDELETE.exe, but it will leave a prefetch.
Shim Cache
Registry location:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppcCompatCacheNote: Cannot be used as evidence in Windows 8+
Tool for analysis:
AppCompatCacheParser.exe --csv c:\Users\GhosHex\Desktop --csvf sinm.csvAM Cache
Installed packages, loose executables → it will tracks drivers. Cannot be used as an evidence of execution.
Hive location:
C:\Windows\appcompat\ProgramsPCA
Is a GUI artifact of execution and CLI applications, its in Windows 11.
Location:
C:\Windows\appcompat\PCAMUI Cache
USER.dat - Multi User Interface cache. It was used for language purposes but it can be leveraged to be a per user execution artifact for GUI applications. There is no time stamp.
Registry location:
HKCU\software\classes\local settings\software\microsoft\windows\shell\MuiCacheUser Assist
NTUSER.dat
Registry location:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssistKeys:
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}- will track application execution{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}- will track link files
SRUM
System Resource Utilization Monitor
Program execution + energy usage + detailed application usage 30 days + network related connectivity + push notification data
Location:
c:\windows\system32\sru\srudb.datUsing software hive to get more information along with SRUM