Artifact Analysis: BAM (Background Activity Moderator)

Note

Executive Summary: Introduced in Windows 10, the Background Activity Moderator (BAM) is a system service designed to optimize battery consumption by controlling background applications. For DFIR analysts, BAM acts as a stealthy execution ledger. It provides highly reliable proof of execution that directly links a specific executable to a precise user account (SID) and a timestamp, making it a critical artifact for attribution.

1. Technical Overview

The primary philosophy behind BAM is energy management. Modern Windows operating systems need to monitor which applications are active or resource-intensive in the background to throttle them if necessary (especially on laptops).

To achieve this, the BAM service (bam.sys) silently monitors application launches and records metadata about these executions directly into the system’s registry. Because its primary purpose is power management rather than auditing, attackers frequently overlook it during anti-forensic cleanup operations.

2. Artifact Location & Structure

Unlike artifacts stored in user profiles (such as Jumplists or Shellbags), BAM data is centralized within the SYSTEM registry hive.

• Hive Location: C:\Windows\System32\config\SYSTEM
• Registry Key: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{User-SID}

Data Structure

The UserSettings key contains subkeys for every Security Identifier (SID) that has logged into the machine. Inside each SID key, the registry stores a list of values where each value corresponds to a program executed by that specific user.

3. Data Analysis: Extracted Information

Parsing the BAM registry keys reveals three crucial pieces of forensic data for each entry:

1. Full Executable Path: The absolute path of the launched program (e.g., \Device\HarddiskVolume2\Users\Admin\Desktop\malware.exe).
2. User SID: Because the parent registry key is the user’s SID, analysts can definitively attribute the execution to a specific human or service account.
3. Last Execution Time: A FILETIME timestamp (in UTC) indicating the last time the BAM service observed this program running.

4. Forensic Value in Incident Response

BAM is a high-fidelity source of evidence, typically used to corroborate findings from other execution artifacts.

A. Direct User Attribution

This is BAM’s greatest strength. While artifacts like Prefetch (.pf) or Shimcache are system-wide and prove that a file ran on the machine, BAM definitively answers the question: “Which user account executed this payload?”

B. Anti-Forensic Resilience

Threat actors are well-aware of Prefetch and often attempt to delete .pf files to cover their tracks. Because BAM is a lesser-known artifact stored deep within the locked SYSTEM hive, it frequently survives automated cleanup scripts, preserving the execution footprint.

C. The Execution Correlation Trio

DFIR analysts use BAM to build an irrefutable proof of execution by correlating it with two other major artifacts.

1. Prefetch: Identifies the execution, providing the run count and multiple execution timestamps.
2. Amcache: Provides the SHA1 hash of the executable, allowing for positive malware identification.
3. BAM: Confirms the exact User SID responsible for the execution and provides the final execution timestamp.

5. Recommended Tooling

Due to the structure of the registry hive and the need to parse FILETIME data accurately, manual analysis via regedit is inefficient during an incident.

BAMParser

Part of Eric Zimmerman’s Tools. A command-line utility specifically designed to parse BAM entries from an exported SYSTEM hive and output the results in CSV format.

RegRipper

Utilize the bam plugin within RegRipper to quickly extract and format the execution data directly from the registry hive.

---

References & Further Reading

• SANS Institute: Windows Forensic Analysis
• Eric Zimmerman’s Tools: BAMParser GitHub Repository