BITS Transfer Jobs

windowsPersistence MechanismsDisk Image

Location

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Description

Background Intelligent Transfer Service database tracking all BITS jobs including download URL, destination path, creation time, and job owner SID.

Forensic Value

Adversaries abuse BITS jobs for stealthy file downloads and persistence because BITS transfers survive reboots and run under the SYSTEM context. Parsing qmgr.db reveals download URLs for second-stage payloads, staging paths, and the exact user account that initiated the transfer. BITS jobs do not appear in standard proxy logs if the system uses direct connections.

Tools Required

KAPEBitsParserBITS-parser (ANSSI)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical