- look for one/two letter executables

- executed from temp or $Recycl.Bin folder (or System)

- common tools: wmic.exem scrons.exe, certutil.exe,
rar.exe, psexesvc.exe, etc..
- IOCs known malware, tool and staging dirs

Def: key processs in which the operating system loads key pieces of data and code
from disk into memory
. pf name: name of application + hex representation of the file path
Disable/enable: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\Session Manager\Memory Management\PrefetchParameters

After an application is executed, .pf file is is created in: C:\Windows\Prefetch

limit to 128 files on W7 en 1024 files on W8 and above it will log the entry for the command the person executed

.pf file content: Location running system:

Start -> Run Commands
- total number of execution Prefetch HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Creation time is +- 10seconds later after real execution of applicaton - original path of execution \RunMRU
- last (8)time of execution
- (creation of the .pf file = time of first execution?) Offline system: Registry Explorer
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
look out for 2 exec with the same name -> means different path.
Exception for "hosting" applications like svchost.exe (take full path + arguments into MRUListEx: records the order in which the files were accessed (as a 4-byte value)
account in the hash valua) For example: 07 00 00 00 00 00 00 00 04 00 00 00 0E 00 00 00 -> means that last
value 7 downloaded, than 0,4 and last value 14
prefetch in W10 is compressed

PECmd: free tool designed to parse the internal metadata of prefetch files
relies upon W API so will only work with W8+ C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\
-d switch: will process entire dir + will create a timeline
AutomaticDestinations

- Creation time (first exec): first time item added to the appID file
Def: Application Compatibility cache is designed to detect and remediate program - Last time of exec: modification time = last time item added to the AppID file
compatibility challenges when a program launches. Microsoft allows a program to - list of jump list IDs can be found at: http://www.forensicswiki.org/wiki/
invoke properties of different operating system versions. The different compatibility Jump Lists
List_of_Jump_List_IDs
modes are called "Shims".
Shims: the different compatibility modes A jump list is a system-provided menu that appears when the user right-clicks a
AppCompatCache: each exec is checked and added to the registry regardless of program in the taskbar or on the Start menu. It is used to provide quick access to
whether it needs to be shimmed Program recently or frequently-used documents and offer direct links to app functionality. For
example, when you right click on Chrome.exe, you see tabs/urls that you recently
- Filename
Execusion closed. That information has to be safed somewhere...
- full path
- last modification time of the exec
Location running system:
Max 512 entries HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\ComDlg32\LastVisitedMRU
Location: (hives in Windows\config) ShimCache / AppCompatCache
New entries only written on shutdown
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache Offline system: Registry Explorer
Might see multiple CurrentControlSet keys: in offline system, you first need to \AppCampotCache NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer
determine the current control set by looking at the Current value in the SYSTEM \ComDlg32\LastVisitedMRU
\Select key Last Visited MRU
MRUListEx: records the order in which the files were accessed (as a 4-byte value)
AppCompatCacheParser.exe: For example: 07 00 00 00 00 00 00 00 04 00 00 00 0E 00 00 00 -> means that last
-f switch: if not set, appcompatcache of running system will be taken value 7 downloaded, than 0,4 and last value 14

\%Systemroot%\AppCompat\Programs\Amcache.hve Last 20 executables

Every time a file is modified, executed or renamed, it will be shimmed

appcompatprocessor.py (p.2.64) Event ID:

Service Events - 7034: Service Crashed Unexpectedly
- 7035: Service sent a Start/Stop control
- 7036: Service started or stopped
Def:stores metadata of loaded drivers, file exec, appli insallation, etc. - 7040: Start type changed
When is it stored in this hive:
because it not only tracks exec, it is recommended that this artifact is used as an - Exectued (and shimmed) application
indication of exec and driver presence on the system and for all the metadata it - Exec and drivers that were copied as part of application exec
tracks. Not to prove exec but to indicate an exec was present on the system - Exec present in on of the dirs scanned by the Microsoft Compatibility Appraiser
scheduled task (Program Files, Program Files x86 and Desktop)

- Full path
- file size
- publisher metadata
- several timestamps

InventoryApplicationFile key: good starting point.

additional information can be found in the InventoryApplication key. Through the Location: Windows\AppCompat\Programs\Amcache.hve
programID value of an InventoryApplicationFile file, you can find the corresponding
InventoryApplication for this exec. Contains a lot of publisher info. Amcache.hve
InventoryDriverBinary: contains metadata for drivers. To look for DeviceID (hash),
non-standard driver folders, modification time, driver signed or not.

SHA1 hash is tracked for executables

amcacheparser.exe
-i switch: gives associated files
- Amcache_ProgramEntries folder: will contain the InventoryApplication key
- UnassociatedFileEntries: part of the InventoryApplicationFile key that contains files
that are not part of an installation package.

appcompatprocessor.py (p.2.64)

FileExplorer: to load .hve