Program Execution

This chapter delves into the most critical category of forensic artifacts for any screenshare investigation: Program Execution. These artifacts provide the tangible evidence needed to answer the fundamental question: Was an unauthorized program launched on this system? We will explore a range of artifacts, from the high-precision logs of Prefetch and the Background Activity Moderator (BAM), to the historical databases of Amcache and the System Resource Usage Monitor (SRUM).

A crucial concept for interpreting this evidence is temporal precision—the level of detail an artifact provides about when an event occurred. Some artifacts offer high precision, capable of pinpointing an execution down to the minute and second. These include Prefetch, which records the last eight run times, and BAM/DAM, which logs the timestamp of the last interaction with an executable. They are the primary sources for establishing recent, time-sensitive activity.

Conversely, other artifacts provide invaluable proof of execution but with less temporal granularity. Artifacts like Amcache/Syscache, RecentFileCache, UserAssist, and SRUM may not reliably show the most recent execution time, but they offer other critical insights:

• Historical Proof: They confirm that a program was executed at some point in the past, even if other more volatile traces have been cleared.

• Identification via Hash: Amcache is particularly powerful as it stores the SHA1 hash of an executable, allowing identification even if the file has been renamed to evade detection.

• User and System Context: UserAssist links program executions directly to a specific user profile, while SRUM provides data on network usage and resource consumption, helping to attribute activity and understand its impact.

• Long-Term Persistence: SRUM and Activities Cache can retain execution data for weeks or months, often surviving cleanup attempts that target more common artifacts.

Understanding the strengths and limitations of each of these artifacts is essenti