Skip to content

CH5: Windows Registry Forensics – Part 2

Chapter Overview

In Chapter 4, we established the foundation of the Windows Registry, covering its architecture, hive files, and basic user activity artifacts. In this chapter, we advance to "Level 2" registry analysis. We will move beyond simple file opening and dive into complex program execution tracking (BAM/DAM, AmCache, and ShimCache), network history analysis, and system configuration artifacts that reveal how a system was maintained—or manipulated.

This chapter focuses on the artifacts that answer the difficult questions: "Did the suspect execute this specific malware program?", "Was this application installed and then uninstalled to hide evidence?", and "Which Wi-Fi networks did this laptop physically visit?"

Learning Objectives

By the end of this chapter, you will be able to:

  • Differentiate between various program execution artifacts (UserAssist, MUICache, BAM/DAM) and explain the specific forensic value of each.
  • Analyze the AmCache.hve hive and ShimCache to recover metadata of executed programs, enabling malware identification even after files are deleted.
  • Reconstruct a device's physical movement and connectivity history by analyzing Wireless Network and Network List registry keys.
  • Investigate the "Common Dialog" (ComDlg32) and "Typed Paths" keys to determine user intent and manual file navigation.
  • Identify evidence of data exfiltration tools (WinRAR, 7-Zip) to prove knowledge and handling of sensitive files.
  • Identify evidence of installed, uninstalled, and "portable" applications to build a comprehensive software inventory of the target system.

5.1 Program Execution Forensics: The "Did They Run It?" Question

One of the most frequent tasks in digital forensics is proving that a specific application was executed. While we discussed UserAssist in Chapter 4, modern Windows systems (Windows 10/11) provide even more granular tracking mechanisms that are harder for a suspect to wipe.

BAM and DAM

The Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) are services introduced in Windows 10 (v1709) to optimize power consumption and system resources. To do their job, they track exactly which executables run and for how long.

Why is this critical? Unlike UserAssist (which tracks GUI execution), BAM tracks execution regardless of how it started (e.g., command line, scheduled task).

Key Location:

  • Hive: SYSTEM
  • BAM Path: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
  • DAM Path: HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Artifacts Found: Inside the user's SID subkey, you will find a list of executable paths.

  • Value Name: The full path of the executable (e.g., C:\Users\BadGuy\Desktop\malware.exe).
  • Value Data: A timestamp (in Windows 64-bit FILETIME format) indicating the last successful execution time.

Forensic Note: BAM entries are often retained even after the executable itself has been deleted from the file system. This makes BAM excellent for proving the historical existence of malware.

MUICache

The Multilingual User Interface (MUI) Cache was designed to store the localized (friendly) application names so Windows doesn't have to extract them from the binary every time.

Key Location:

  • Hive: USRCLASS.DAT
  • Path: Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Forensic Value:

  • Program Existence: If a program appears here, it was run (or at least mapped by Windows Explorer).
  • Application Naming: It links the filename (e.g., nc.exe) to the internal application name (e.g., Netcat). This can reveal renamed tools. If a suspect renames Wiper.exe to Notepad.exe, the MUICache might still read the internal metadata description "Disk Wiper v2.0", exposing the deception.

5.2 Application Compatibility Artifacts: AmCache and ShimCache

Windows has a robust subsystem designed to ensure older programs run on newer versions of Windows. This system, known as the "Shim" infrastructure, inadvertently creates some of the most powerful forensic artifacts available.

The AmCache

The AmCache is not just a key; it is an entire standalone hive file. It replaced the older RecentFileCache.bcf in Windows 8. It is arguably the most powerful artifact for malware analysis.

File Location: C:\Windows\AppCompat\Programs\Amcache.hve

What it Stores: The AmCache stores a massive amount of metadata about every driver and program run on the system to track compatibility.

Critical Data Points:

  1. SHA-1 Hash: The AmCache often calculates and stores the SHA-1 hash of the executable.
    • Real-World Application: If you find a deleted file entry in AmCache, you can take the SHA-1 hash and search it on VirusTotal. This allows you to identify malware that is no longer on the disk.
  2. First Run Time & Last Write Time: Helps establish the window of compromise.
  3. File Path & Size: Confirms location.

Analysis Tools: You cannot view AmCache.hve easily in standard RegEdit. You must use Eric Zimmerman’s AmCacheParser (command line) to export the data into a CSV or load it into Registry Explorer.

The "Missing Twin": ShimCache (AppCompatCache)

You cannot talk about AmCache without mentioning its partner, the ShimCache (also known as AppCompatCache). While AmCache is a standalone file, ShimCache is a value located inside the SYSTEM hive.

Key Location: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Forensic Value: Like AmCache, this artifact tracks application compatibility. However, its forensic value lies in its simplicity and volatility.

  • Execution Indicator: ShimCache entries may include metadata that suggests execution, but this is not always reliable, especially on Windows 10/11 systems. The presence of a file in ShimCache primarily indicates that Windows performed compatibility checks on it, which typically happens during execution but can also occur during file browsing or scanning.
  • Order of Execution: On older systems (Windows 7/XP), it stored files in the order they were executed (Least Recently Used). On Windows 10/11, the ordering is less linear, but it still provides a powerful list of distinct executables present on the system.
  • The "Reboot" Caveat: Unlike AmCache, ShimCache data is held in RAM and is only written to the registry hive on the disk when the system shuts down or reboots. If you pull the plug on a running system (Forensic Cold Boot), you might lose the most recent ShimCache entries associated with that specific session. This is a rare instance where a "Live Capture" of RAM is superior to a "Dead Box" image.

5.3 File and Folder Navigation: User Intent

We know from Chapter 4 that ShellBags track folder views. Now we look at how users interact with specific files via the Windows interface.

ComDlg32 (Common Dialogs)

The "Common Dialog" is the standard "Open" or "Save As" window you see in almost every Windows application. Windows tracks the user's interaction with this window to helpfully suggest previous paths.

Key Location:

  • Hive: NTUSER.DAT
  • Path: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32

Subkeys of Interest:

  • OpenSavePidlMRU: Tracks files opened or saved via the dialog. It stores the file name, extension, and order of access.
  • LastVisitedPidlMRU: Tracks the specific executable used to open the file and the folder path.
    • Example: This key can link Photoshop.exe to Forged_Document.psd, proving which application was used to manipulate the evidence.

Typed Paths

This simple key records what the user manually typed into the Windows Explorer address bar.

Key Location:

  • Hive: NTUSER.DAT
  • Path: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

Forensic Significance: Most users navigate by clicking. If a user types a path (e.g., \\192.168.1.50\HiddenShare or C:\Windows\System32), it indicates specific intent and advanced knowledge. It is rarely accidental.

5.4 Network Forensics via Registry

The registry is an excellent source for geolocation data and network history.

Wireless Networks (WLAN)

When a computer connects to a Wi-Fi network, it stores the network's SSID (name), the connection dates, and even the access point BSSID (stored as a MAC address).

Key Location:

  • Hive: SOFTWARE
  • Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

Forensic Value:

  • Geolocation: SSIDs like "Starbucks_MainSt" or "SFO_Airport_Free_WiFi" place the device in a physical location.
  • Date First/Last Connected: Establishes a timeline of the device's movement.
  • Access Point BSSID: You can sometimes use open-source intelligence (OSINT) tools like Wigle.net to search for a BSSID and find its precise GPS coordinates.

Shared Folders and Mounted Drives

In corporate environments, data theft often occurs via network shares.

  • Map Network Drive MRU: (NTUSER.DAT\...\Explorer\Map Network Drive MRU) lists drive letters mapped to network paths (e.g., Z: mapped to \\Server\Finance).
  • MountPoints2: (NTUSER.DAT\...\Explorer\MountPoints2) tracks interaction with USB devices and network shares, including those that were not mapped to a drive letter but accessed via UNC path.

5.5 System Configuration and Maintenance

Installed and Uninstalled Programs

Suspects often uninstall incriminating software before a seizure. However, the "Uninstaller" list in the registry often retains data.

Key Locations:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (32-bit/64-bit apps)
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall (32-bit apps on 64-bit OS)

Evidence: These keys contain the DisplayName, InstallDate, and UninstallString.

  • The "Zombie" Entry: Sometimes, a user runs an uninstaller, but the registry key remains. If you find a key for "WiperTool v3" but the program files are gone, you have proof of prior installation.

Page File Management

The pagefile.sys is a file on the hard drive used as an extension of RAM. It contains transient data (passwords, decrypted images, chat fragments). The registry controls how this file is handled.

Key Location:

  • Hive: SYSTEM
  • Path: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Critical Value: ClearPageFileAtShutdown

  • Default: 0 (Disabled).
  • Forensic Implication: If set to 1, Windows wipes the pagefile every time the computer shuts down. This is a common anti-forensic setting used by privacy-conscious users or criminals to destroy memory evidence.

5.6 Specific Software Artifacts

Mozilla & Browser Hints

While full browser forensics involves analyzing SQLite databases (Week 11), the registry holds specific configuration data.

  • Location: HKLM\SOFTWARE\Mozilla or HKCU\Software\Mozilla.
  • Value: Primarily useful for identifying the version installed and the location of the maintenance service. The actual history is in the user profile folders, not the registry.

Archiving Tools (WinRAR and 7-Zip)

The outline item "Other Software" is broad, but in data theft cases, Archiving Tools are the most critical category. Suspects rarely copy 1,000 individual files to a USB drive; they "zip" them into a single archive first.

WinRAR Forensics: WinRAR is notorious for keeping a detailed history of every archive opened or created.

  • Key: HKCU\Software\WinRAR\ArcHistory
  • Value: This key lists the file paths of archives the user interacted with (e.g., D:\Stolen_Docs.rar).
  • DialogHistory: This subkey often reveals the destination path where the user extracted files, which can help locate where they hid stolen data.

7-Zip Forensics: 7-Zip is less chatty but still valuable.

  • Key: HKCU\Software\7-Zip\FM (File Manager)
  • Value: PanelPath0 and PanelPath1 track the folders viewed in the left and right panels.
  • PanelHistory: Contains recently accessed archive locations.

5.7 Advanced Concept: Registry Transaction Logs (The "Dirty Hive" Revisited)

In Chapter 4, we introduced the concept of "Cleaning Dirty Hives." We must reinforce this for advanced analysis.

When analyzing AmCache.hve or UsrClass.dat (where ShellBags live), the transaction logs (.log, .log1, .log2) are even more critical than in NTUSER.DAT. System processes write to AmCache constantly in the background. If you analyze a "Dead Box" AmCache without replaying the logs using AmCacheParser or Registry Explorer, you may miss the most recent program executions—specifically the malware that ran 30 seconds before the system crashed.

Best Practice Rule: never analyze a hive file in isolation if the associated log files are present. Always process them together.

5.8 Chapter Summary

In this chapter, we expanded our registry skillset to cover the full lifecycle of user activity.

  1. Execution: We can prove what ran using BAM/DAM (timestamps), MUICache (names), the powerful AmCache (SHA-1 hashes), and the ShimCache.
  2. Navigation: We can see what users typed (TypedPaths) and which file dialogs they used (ComDlg32), revealing intent.
  3. Connection: We can map the device's physical journey via Wireless Network profiles.
  4. Configuration: We can detect anti-forensic behavior via PageFile settings and identify removed software through Uninstall keys.
  5. Exfiltration: We can verify if the user compressed sensitive data using WinRAR or 7-Zip registry history.

By correlating these "Part 2" artifacts with the "Part 1" basics, you can now build a tight narrative: "The user connected to the 'Cafe' Wi-Fi (NetworkList), typed the path to a hidden server (TypedPaths), downloaded 'Wiper.exe' (AmCache/BAM), compressed stolen files (WinRAR), and then attempted to wipe the pagefile (Memory Management)."