BAM/DAM (Background/Desktop Activity Moderator)

windowsExecution EvidenceDisk Image

Location

SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID> (Windows 10 1709+)

Description

Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys recording executable paths with their last execution UTC timestamp, attributed to specific user SIDs.

Forensic Value

BAM/DAM provides user-attributable execution evidence with timestamps, filling a gap left by Prefetch (which does not record the executing user) and AmCache (which may not have accurate execution times). Each entry links a specific executable path to the user SID that ran it and the UTC time of last execution. This is particularly valuable for identifying which user account was used to run attacker tools on shared systems.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperRECmd (Eric Zimmerman)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical