Blog >> Windows Background Activity Moderator (BAM)

Investigating Windows Background Activity Moderator (BAM)

22/06/2022 Wednesday

Background Activity Moderator is a Windows service that controls activity of background applications. The service was first introduced on Windows 10, specifically, after the Fall Creators Update (version 1709). BAM provides the full path of the executable files that was run on the system as well as the last execution date and time of these files.

Digital Forensics Value of BAM Artifact

BAM provides evidence of program execution by listing executables under the " "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\bam\State\UserSettings\<SID>" registry key. Each user specific executable is stored under the corresponding SID entry. BAM entries are only populated for locally run executables. Launching executables on network shares or removable media will not generate BAM entries. Similarly, console applications aren't stored on the BAM entry. In addition, BAM entries are removed if an executable is removed from its original location; and entries older than 7 days are removed when Windows boots.

Location of BAM ArtiFact

BAM key is located at

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\{SID}

Structure of BAM ArtiFact

As mentioned earlier, BAM entries are stored under the <User SID>. Each program executed is stored within the registry value [REG_BINARY]. Its name is set to an executable path and its data is set to a binary structure with a FILETIME timestamp.

An Instance of the <User SID> registry key:
1. Value Name: \Device\HarddiskVolume1\ArtiFast Suite\ArtiFast Suite\jre\bin\javaw.exe
2. Value Type: REG_BINARY
3. Value Data: C5 FC 37 CE 75 84 D8 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00

Analyzing BAM Artifact with ArtiFast Windows

This section discusses how to use ArtiFast Windows to analyze BAM artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact. After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select BAM artifact:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the BAM artifact in ArtiFast software.

Background Activity Moderator (BAM) Artifact

The artifact contains BAM registry key content. The details you can view include:

• Date - Time and date the executable was ran.
• Date Description - Detailed explanation of the Date attribute.
• Program - Executable that was ran. This atribute contains the path of the executable.
• Description - Detailed description of the executable.
• Source - Source of the artifact.

For more information or suggestions please contact: [email protected]