DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • Overview:
  • Benefits for DFIR:
  • How It Works:
  • Tools:

BAM (Background Activity Moderator)

The Background Activity Moderator (BAM) is a Windows service introduced in Windows 10. BAM tracks the activity of background applications and provides valuable forensic data.

Overview:

  • Purpose: Manages background activity for applications to optimize system performance.

  • Registry Location:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>

  • Data Stored:

    • Executable paths and timestamps of last execution.

Benefits for DFIR:

  • Activity Tracking: Tracks when applications were last active in the background.

  • User Behavior: Provides insight into frequently used programs.

How It Works:

  • Logs executables that perform background activity, including:

    • Timestamps: Time of last activity.

    • Paths: Full paths of executables.

    • User-Specific Data: Each user's executed programs are stored under their corresponding SID (Security Identifier).

Tools:

  • BAM Parser: Specialized tool for analyzing BAM data.

  • Registry Explorer: Manual exploration of BAM keys.

PreviousMUI CacheNextSRUM (System Resource Usage Monitor)

Last updated 5 months ago