Available Artifacts - Indicators of Execution Updated
The "Indicators of Execution" spreadsheet I put together in 2018 has been somewhat neglected of late. So, with the release of Server 2025 I set about updating it to reflect the current state of Windows 11 and Server 2025 and completing some long overdue gap filling..
In addition to filling a few of the longstanding gaps, I have updated the original blog post and spreadsheet to include a couple of additional artifacts, specifically:
- Program Compatibility Assistant
- EventTranscript.db
Thanks to Andrew Rathburn (@bunsofwrath12) for these suggestions.
The below sections have been added to the original post, but are reproduced here:
Program Compatibility Assistant
The Program Compatibility Assistant (PCA) is a Windows service that detects and fixes compatibility issues when legacy applications are run on newer versions of Windows. It runs in the background and monitors programs for compatibility issues. Since Windows 11 (22H2 Update) and therfor Windows Server 2025 the PCA writes out to a file named PcaAppLaunchDic.txt, which is a pipe delimited text file that details executable paths and their time of execution.
References/Tools:
https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
https://github.com/Psmths/windows-forensic-artifacts/blob/main/execution/program-compatibility-assistant.md
https://www.sygnia.co/blog/new-windows-11-pca-artifact/
EventTranscript.db
The EventTranscript.db is a SQLite database which can be used as evidence of program exection, however it is not enabled by default.
References/Tools:
https://github.com/AndrewRathbun/EventTranscript.db-Research
https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript
https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/diving-deeper-into-eventtranscript
There are still plenty of gaps, particularly for lesser know artifacts or older Operating Systems. Input is always welcome!