Program execution analysis in Windows: A study of data sources, their format and comparison of forensic capability

Abstract

Nowadays, perpetrators of the crimes are more forensic-aware than ever and take preventive measures to limit or delete the program execution artifacts. Also, analysts are mostly confronted with the computer systems infected with evil programs (for example, malware and ransomware) that are designed to remain hidden whilst running and erase the traces of their executions. Program execution analysis is very meaningful effort to unravel the Indicators of Compromise (IOCs) on an infected system and detect anti-forensic tools used to complicate the investigations. The sources of program executions being created and stored are rising in newer Windows systems, however, to analyze one source in isolation would uncover only a piece of information. Thus, there is a need to take different sources of program executions into account as a whole for comprehensive examination of the digital incident, and a study of forensic capabilities of these artifacts in a comparative manner is needed. To fill the gap, this study considers eleven sources of program executions: Prefetch, Jump Lists, Shortcut (LNK), UserAssist, Amcache.hve, IconCache.db, AppCompatFlags, AppCompatCache, RunMRU, MuiCache and SRUDB.dat, and investigates the effects of running various types of applications (for example, host-based executables, package applications, portable application, and Windows Store Apps) on these artifacts in a Windows 10 Pro client system. The effects of running five popular anti-forensic tools (for example, privacy cleaners) are also observed and a comparison of scrubbing capabilities of these tools is presented. In addition, the study also discusses the forensic significance of examining the considered program execution artifacts. The study will have direct implications on the forensic or malware investigations involving program execution analysis as a subject of interest.