BAM & DAM

Background Activity Moderator (BAM) & Desktop Activity Moderator (DAM)

Purpose and Function

The Background Activity Moderator (BAM) and its predecessor, the Desktop Activity Moderator (DAM), are Windows services designed to manage and control the resource consumption of background applications. Introduced in Windows 10 (Fall Creators Update, version 1709), the BAM's primary system function is to ensure that background processes do not negatively impact system performance or battery life by throttling their activities.

From a DFIR perspective, this moderation service creates a powerful forensic artifact. To perform its function, the BAM/DAM service maintains a record of applications it has monitored. This record is stored in the Windows Registry and acts as a log of executed programs, often capturing execution evidence that other artifacts might miss.

Location and Structure

The BAM and DAM data is stored within a specific set of keys in the SYSTEM registry hive. Accessing this location requires administrator privileges.

  • Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{User_SID}

  • For DAM (older systems): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{User_SID}

Within each user-specific SID key, the data is stored as a series of registry values.

  • Value Name: The name of each value is the full path to the executed program, prefixed with the Windows NT path notation (e.g., \Device\HarddiskVolumeX\...).

  • Value Data: The data for each value is a binary structure. The most forensically significant part of this structure is an 8-byte FILETIME timestamp, which represents the last time the application was monitored by the service.

Stored Metadata and Behavior

The BAM/DAM artifact provides two key pieces of information for each entry:

  1. Full Path of the Executable: The registry value name provides the complete path to the program that was executed. This is crucial for identifying exactly which file was run and from what location (e.g., a USB drive, a temporary folder, etc.).

  2. Last Execution Timestamp: The FILETIME timestamp within the value's binary data indicates the last time the program was seen running by the BAM service. This timestamp is updated not just upon initial execution but also upon subsequent interactions or closures, making it a high-precision indicator of recent activity.

Unlike Prefetch, which primarily logs .exe files, the BAM/DAM is known to log the execution of a wider range of application types. However, its main focus remains on executable files.

A critical characteristic of this artifact is its volatility. Entries within the BAM registry keys can be overwritten as new applications are run and monitored. Furthermore, these registry keys can be deliberately cleared by users with sufficient privileges or by cleanup utilities.

Forensic Value

The BAM/DAM is an essential execution artifact, especially when Prefetch data is unavailable or has been tampered with. Its value in an investigation stems from several key points:

  • High-Precision Timestamps: It provides a precise timestamp of the last known activity, which is vital for building accurate timelines.

  • Full Path Information: It records the exact location from which a program was run, helping to track the origin of malicious executables.

  • Complementary Evidence: It often captures executions that might not generate a Prefetch file or whose Prefetch entry has been deleted, serving as an excellent source of corroborating evidence.

  • Evidence of Tampering: Because the data resides in a known registry location, evidence of its deletion can often be recovered from registry slack space or by observing that the key's "LastWrite" time has been recently modified. Specialized forensic tools can often highlight recently deleted BAM entries, turning an attempt to clear tracks into direct evidence of malicious intent.

Reflection points (SS Contest)

For a ScreenSharer, the BAM is another primary source for proving "in instance" execution, often with high precision.

  • Direct Proof of Execution: Finding the path to a cheat executable in the BAM keys with a recent timestamp is direct and compelling evidence of its use.

  • Catching Bypass Attempts: The BAM is particularly effective at detecting cheats that are executed and then quickly deleted. While the file itself may be gone, its execution record can persist in the BAM.

  • Detecting "Fileless" Loaders: Some bypass techniques use legitimate executables to launch malicious code. The execution of the initial loader (e.g., a suspicious PowerShell or CMD script host) might be logged in the BAM, providing a critical lead for the investigation.

PreviousPrefetchNextUserAssist

Last updated