Background Activity Moderator is a Windows service that controls activity of background applications. The service was first introduced on Windows 10, specifically, after the Fall Creators Update (version 1709). BAM provides the full path of the executable files that was run on the system as well as the last execution date and time of these files.
BAM provides evidence of program execution by listing executables under the " "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Services\bam\State\UserSettings\<SID>" registry key.
Each user specific executable is stored under the corresponding SID entry. BAM entries are only populated for locally run executables. Launching executables on network shares or removable media will not generate BAM entries. Similarly, console applications aren't stored on the BAM entry. In addition, BAM entries are removed if an executable is removed from its original location; and entries older than 7 days are removed when Windows boots.
BAM key is located at
As mentioned earlier, BAM entries are stored under the <User SID>. Each program executed is stored within the registry value [REG_BINARY]. Its name is set to an executable path and its data is set to a binary structure with a FILETIME timestamp.
This section discusses how to use ArtiFast Windows to analyze BAM artifact from Windows machines and what kind of digital forensics insight we can gain from the artifact. After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select BAM artifact:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the BAM artifact in ArtiFast software.
Background Activity Moderator (BAM) Artifact
The artifact contains BAM registry key content. The details you can view include:
For more information or suggestions please contact: firstname.lastname@example.org