Program Execution

Program Execution can be used to identify what application ran on a system. This is one of the most common forensic questions and there are numerous windows artifacts that help us keep track of executed applications, even if the file is no longer present on the file system.

Amcache

Identify first run time, file path, and SHA1 hash of executables from the Amcache registry hive.

Jump Lists

Windows 7 task bar (Jump List) is engineered to allow users to “jump” or access items have frequently or recently used quickly and easily.

Last-Visited MRU

Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key.

Prefetch

Prefetch files contain files and directories referenced by an application.

Recent Apps

Track program executions from GUI applications launched on Windows 10.

Shimcache

Reference the Windows Application Compatibility Database to identify an executed programs file name, file size, and last time the executable was ran.

User Assist

GUI-based programs launched from the desktop are tracked in the launcher on a Windows System.

Windows 10 Timeline

Windows 10 records recently used applications and files in a “timeline” accessible via the “WIN+TAB” key.