Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn
Analyzing Program Execution
This article is intended to give a high-level overview of analyzing program execution on the various operating systems. A typical operating system has direct and indirect program executions indicators.
- direct indicators; these are artifacts of sub systems related to "executing" a program on the operating system, e.g. a Prefetch file.
- indirect indicators; these are artifacts that the program itself has left while running, e.g. a MRU Registry key.
This article focuses on the direct program execution indicators.
Mac OS X
Mac OS X
- Program crashes
- Windows Error Reporting (WER)
- Services and drivers
- UserAssist Registry key
- Windows Application Compatibility
- AppCompatCache Registry key
- Windows Memory Analysis
- Hibernation file
- Page file
- Windows Event Log
- Windows PC Accelerators
- Run/RunOnce Registry keys (and equivalents)
- Windows Task Scheduler
- Job files
- TaskCache Registry key
- XML task/job files (C:\Windows\System32\Tasks, C:\Windows\SysWOW64\Tasks)
Note that third party tooling like "Anti-Virus" or Host-based Intrusions Detection Systems (HIDS) can be used to track program executions. This will vary per product.