Skip to content

Latest commit

 

History

History
68 lines (38 loc) · 5.49 KB

readme.md

File metadata and controls

68 lines (38 loc) · 5.49 KB
Raw

-> UPDATE (09/2019)

  • In Win10 v1809 & v1903, BAM stopped updating "\bam\UserSettings" (old entries may still be found there) and now updates "bam\ State \UserSettings". These powershell scripts get the data from the new location:

    bam.ps1 (parses both locations)
    bamoffline1.ps1 (parses both locations)
    bam1809.ps1
    bamoffline1809.ps1

Windows 10 (1703+) Background Activity Moderator

  • BAMparser.ps1 - PowerShell script by Matthew Green (original is here) for live parsing of the BAM service key:

    BAMparser.ps1 results

  • bam.ps1 - Modification of the above script to get the results in a pop-up Window with Filestamps in both UTC and user's locatime

    bam.ps1 results

    User can select all lines (Ctrl+A) or specific lines (Ctrl+click) and copy/paste (Ctrl+C and Ctrl+V) the data to a text file or MS Excel spreadsheet. The Selected lines are also displayed in the console after the user presses the OK button.

    bam.ps1 console

  • bam1.ps1 - 2nd Modification of the above script - This one is like bam.ps1 but includes separate filename & path and 3 different dates: UTC, localtime and calculated user time (utc +- the Active Time Bias. Information on the Timezone, Daylight savings and Active time bias are in the header:

    bam1.ps1 output

  • bamoffline.ps1 - Offline parser reads an offline system hive (SYSTEM) and displays the BAM key entries in a pop-up Window with Filestamps in UTC and the SYSTEM hive's timezone (calculated from the ActiveTimeBias). It can also read SYSTEM hives directly from FTK image mounted logical drives. Note: must be run in a PowerShell console with Administrator privileges. The script asks the user to select a SYSTEM hive file:

    Select SYSTEM hive

    Calculates the SHA256 hash of the SYSTEM hive file and opens it (Read Only). The results are shown in a popup window with Filestamp in user localtime. User can select all lines (Ctrl+A) or specific lines (Ctrl+click) and copy/paste (Ctrl+C and Ctrl+V) the data to a text file or MS Excel spreadsheet. The Selected lines are also displayed in the console after the user presses the OK button.

    Offline results

    After the result window is closed (user presses the OK button), a new SHA256 hash of the SYSTEM hive file is calculated and checked against the original:

    Offline console

  • bamoffline1.ps1 - Offline parser is similar to the above except that it includes separate filename & path and 3 different dates: Examiner local time, UTC, and calculated user time (utc +- the Active Time Bias. Information on the Timezone, Daylight savings and Active time bias are in the header:

    Offline results

    console example:

    console example

  • Documentation of the Background Activity Moderator service key (pdf)

    Other References:

    1. Background Activity Moderator Driver
    2. About BAM key (execution trace #1) -in Japanese
    3. About BAM key (execution trace #2) -in Japanese
    4. BAM Key and Process Execution, Updated Plugins
    5. Bam - Alternative to Prefetch
    6. BAM Internals

Status

  • [x] Live Parser
  • [x] Offline SYSTEM hive parser