search

BAM (Background Activity Moderator)

The Background Activity Moderator (BAM) is a Windows service introduced in Windows 10. BAM tracks the activity of background applications and provides valuable forensic data.

hashtag
Overview:

  • Purpose: Manages background activity for applications to optimize system performance.

  • Registry Location:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>

  • Data Stored:

    • Executable paths and timestamps of last execution.

hashtag
Benefits for DFIR:

  • Activity Tracking: Tracks when applications were last active in the background.

  • User Behavior: Provides insight into frequently used programs.

hashtag
How It Works:

  • Logs executables that perform background activity, including:

    • Timestamps: Time of last activity.

    • Paths: Full paths of executables.

    • User-Specific Data: Each user's executed programs are stored under their corresponding SID (Security Identifier).

hashtag
Tools:

  • BAM Parser: Specialized tool for analyzing BAM data.

  • Registry Explorer: Manual exploration of BAM keys.

PreviousMUI CacheNextSRUM (System Resource Usage Monitor)

Last updated