Analyzing Program Execution Windows Artifacts
The 2020 Digital Intelligence Benchmark Report shows that while Smartphones appear as evidence sources in 97% of investigations, computers are the second most important evidence source, appearing in more than half of all investigations.
Accessing information on Macs or Windows-based computers to identify when certain programs or applications were executed, how often were they used, and who accessed them, is information every investigator needs when building timelines to move cases forward.
Cellebrite Inspector processes Windows artifacts in Actionable Intel. Let’s walk through some of these features this solution offers.
Where Can I Find the Windows Artifacts?
The “Actionable Intel” tab has been redesigned to provide easier access to all of the artifacts parsed. Windows artifacts related to Program Execution parsed by Cellebrite Inspector are all listed under “Program Execution.”
All of the artifacts displayed in Actionable Intel from previous versions of Cellebrite Inspector (2019 R2 and earlier) are available, as well as the newly-parsed items.
Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM)
BAM controls the activity of background applications. DAM, which moderates desktop processes, was created to ensure consistent, long battery life for devices that support “Connected Standby” (when the screen is off, but the device is still on).
So, while you will find BAM entries on all Windows devices, DAM will only contain data on tablets and mobile devices. BAM and DAM entries are both located in the registry. A folder for each user (named by SID) provides the following information:
- Path of executable files
- Last execution date and time
The information is stored in the registry. Cellebrite Inspector displays BAM and DAM entries in the Actionable Intel tab.
Each entry provides insights into the applications run by the user identified in the SID column.
System Resource Usage Monitor (SRUM)
SRUM monitors desktop applications, services, window apps, and network connections. SRUM data is stored in the registry, with historic information contained in a database. The information tracked includes:
- Network connectivity: Interface type and ID, network profile ID, start connection time, and length of connection time.
- Network data usage: Application (associated with user SID) consuming data, bytes uploaded, bytes downloaded, interface type and ID, and network profile ID.
- Application resource usage: SID of the user who launched the program and other information pertaining to running processes.
- Windows push notifications.
- Energy use.
Some of this information may be of use forensically, specifically for data theft investigations or when looking for malicious applications responsible for data exfiltration. Data stored can also shed light on peer-to-peer application usage. Forensically, SRUM data can be used to determine:
- Which user launched a process.
- Data upload and download information by network and process.
- Information about deleted and uninstalled programs.
- Estimated application run times.
Data is tracked in SRUM for all applications, (not just those installed on the computer), like those running from external USB drives.
UserAssist allows investigators to see which programs were recently run on the Windows system. Forensically, UserAssist can help determine:
- Frequency of program execution for each user account.
- The last time a program was launched.
- Where the program was launched from (i.e. Desktop link file, Windows Start Menu, etc.).
- Information about programs that have been deleted or uninstalled from the system.
- Proof of the existing data in a location that is no longer available.
UserAssist data is parsed from the NTUSER.dat registry file and therefore attributes program execution to a specific user. In the example below you can see the user USSF-JKreese launched the Windows command prompt ( cmd(dot)exe ) 16 times.
This example shows the launch of the same application from two different locations: once from Program Files and another from the Start Menu. You can also see an executable launched from a removable device.
Cellebrite Inspector also processes the following program execution information, displayed in Actionable Intel:
- Jump lists: Records and presents recent documents and executables along with their initiating application to users.
- Last executed: Specific executable used by an application to open the files listed in the OpenSaveMRU registry key.
- Multilingual User Interface (MUI Cache): Tracks executables on the system.
- Notifications: A history of notifications sent to users.
- Prefetch: Speeds up application loading, contains information about applications run frequently on the system. (Sometimes turned off on systems with SSDs.)
- RecentApps: Tracks applications, maintains a run count, and stores the last time the application was run. (May not be seen on Windows 10 systems.)
- ShimCache: A mechanism in Windows to support older apps on new versions of Windows. Provides information about executable.
- SuperFetch: Speeds up application loading based on “performance scenarios”, contains information about applications on the system associated with a timeframe. (Sometimes turned off on systems with SSDs.)
- Activity timeline (Activity Cache): Tracks user activities, e.g. website accesses, program executions, files accessed by programs, when particular apps were in focus.
- AmCache: Stores metadata about ShimCache executables that have been run, programs installed, and devices connected.
- ComDlg32: Tracks when the user used the Open/Save dialog box to open or save a file.
Cellebrite Digital Collector
For those investigations requiring access to Mac computers, examiners will find Cellebrite Digital Collector invaluable as it is designed to create physical decrypted images of Apple’s latest Mac computers utilizing the Apple T2 chip.
Cellebrite Digital Collector allows examiners to decrypt the filesystem at collection time, allowing them to capture entire blocks of information and not just logical files. In cases where multiple machines and devices are involved, Cellebrite Digital Collector provides the option to browse and search through data and preview file contents before any data is collected or devices are imaged, making it easier to prioritize data collection.
Cellebrite Digital Collector has been in use for more than a decade, aiding examiners to safely boot and acquire data from hundreds of different Macintosh computer models in their native environment – even those containing Fusion Drives.
Cellebrite Digital Collector allows investigators to:
- Carry out on-scene content triage.
- Perform targeted data collection with selective extraction.
- Collect data from live systems.
- Easily create forensic images.
- Review device history from APFS Snapshots and Time Machine backups.
- Display and search unified log, Spotlight, and KnowledgeC data.
- Review downloads, Wi-Fi connections, recent documents, and user activity.
A Powerful Combo
Being able to access data from Mac-s and Windows-based computers easily can expedite investigations and quickly surface actionable intelligence that can move cases forward faster. Cellebrite Inspector and Cellebrite Digital Collector are two solutions every agency should have in their toolbox to streamline the investigation process whenever computers are involved.