BAM/DAM

The Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) are artifacts within the Windows operating system, specifically introduced in Windows 10 (version 1809 and above), as part of the Windows power management subsystem. These artifacts are designed to moderate background and desktop activities based on power usage and performance, but they also provide valuable data for digital forensics, especially in terms of program execution history.

BAM and DAM are located in the Windows Registry and store information about executable files that have been run on the system, including both background (BAM) and desktop (DAM) applications. This information is crucial for forensic analysts because it includes the full paths of executed files and the last execution date and time, offering insights into user behavior and potential malicious activity.

Key Insights

Registry Location:
- BAM: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
- DAM: HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Here, {SID} refers to the Security Identifier of the user accounts on the machine. This means that BAM/DAM data is specific to each user, allowing for a granular analysis of program execution per user account.

Data Stored:
- The full path of the executed file.
- The last execution date and time.

The data is typically available for up to one week, making BAM/DAM a timely source for recent activity investigation. The "State" key, used in Windows 10 version 1809 and above, is where this information is stored, indicating a shift from previous versions of Windows in how execution data is logged.

Analyzing BAM/DAM for Program Execution

To analyze BAM/DAM data for program execution, forensic analysts need to access the aforementioned registry paths. This can be achieved through the Windows Registry Editor or command-line tools like reg.exe. However, for a forensic analysis, it is recommended to use specialized forensic tools that can safely and efficiently extract registry data without altering the state of the live system.

Example Command to Query BAM/DAM:

reg query HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings
reg query HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings

This command lists all user SIDs that have data stored in BAM and DAM. Analysts would then iterate through each SID to examine the execution data for each user.

Understanding the Outputs:
- Full Path of Executed File: Helps identify not only common applications but also potentially malicious executables or scripts run by the user or by malware.
- Last Execution Date and Time: Critical for establishing a timeline of user activity or for correlating with other forensic artifacts to build a comprehensive view of events leading up to an incident.

PreviousDecoding Prefetch Files with Eric Zimmerman's PECmd Tool NextCapabilityAccessManager

Last updated 1 year ago

Was this helpful?

Key Insights

Registry Location:

BAM: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
DAM: HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\{SID}

Data Stored:

The full path of the executed file.
The last execution date and time.

Analyzing BAM/DAM for Program Execution

Example Command to Query BAM/DAM:

reg query HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings
reg query HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings

This command lists all user SIDs that have data stored in BAM and DAM. Analysts would then iterate through each SID to examine the execution data for each user.

Understanding the Outputs:

Full Path of Executed File: Helps identify not only common applications but also potentially malicious executables or scripts run by the user or by malware.
Last Execution Date and Time: Critical for establishing a timeline of user activity or for correlating with other forensic artifacts to build a comprehensive view of events leading up to an incident.