As a special feature of our blog—special guest postings by experts, clients, and other professionals—please enjoy this blog entry from Jonathan Karchmer, a senior managing consultant at iDiscovery Solutions.
Determining whether programs or malware actually ran on a system is an important goal of seasoned examiners when investigating computer evidence. Generally, there are several artifacts left behind anytime executables are run—regardless of whether the program is Outlook, Chrome, or something malicious. Today we’ll cover some artifacts we encounter on Windows systems.
Prefetch: This could be the most well-known artifact that examiners focus on when looking to see which programs have run on a system. Around since Windows XP, its purpose is to launch applications faster and decrease errors that might occur on first launch. From an investigation standpoint, Prefetch files can provide details about not only when applications launched, but where they were launched from. On current systems, metadata—such as dates of execution—are embedded in these files.
We do see instances where Prefetch files are deleted by those who want to hide their tracks, since this process is not difficult. These files are also deleted regularly during the normal course of operation—something to consider. In instances where Prefetch is not enabled or when no Prefetch files are left behind, we have other places on the system to look for evidence of program execution—for example, the registry.
UserAssist: Focused on Graphic User Interface (GUI) programs, this utility tracks the run count of executables, as well as the last date and time of execution. Its information is embedded in a registry hive file for the user account under which the executable was run; important to note in case there are rogue or multiple user accounts on a system. UserAssist also provides context around how a given executable was run; i.e. it can help answer whether the program was launched from a shortcut file or run directly. For experienced investigators, this can be a powerful detail when piecing together a timeline of activity, as well as differentiating between applications that were clicked-on directly versus those launched through another process.
ShimCache: This Windows-based Application Compatibility Database, stored in the SYSTEM registry hive, assists with executable compatibility across different operating system versions. Basically, ShimCache tracks programs for purposes of determining whether they will run on the current system. Older programs sometimes don’t get along with newer operating systems, so when a program runs, ShimCache checks it for compatibility. A caveat is that programs may be listed here even if they were simply browsed and not executed—so it’s important to note which programs are also flagged as having run. For examiners, the ShimCache is a go-to for systems like servers where Prefetch may be disabled—as it can help examiners determine if/when malware was executed on a system.
AmCache: This file, its own registry hive, tracks the filename and path of executables that have been run while also providing a hash value of the executable, which can be useful in tracking whether those executables also appear on other systems. With this information, examiners may discover that executables are being run from other volumes besides the local C: drive, like USB devices. This could focus investigations on rogue USB usage, as well as rogue users on premises.
Why do computers track so much information about you? Microsoft and other developers are constantly looking to improve the “user experience” to allow your operating system to make helpful suggestions. For instance, over time, your system may offer to open a recently used program or a recently used document for you. Thankfully, for skilled forensic investigators like those I work alongside at iDS, the same artifacts also help us track down malware or rogue user activity, which can be key to locating valuable evidence.