Evidence of Execution: BAM/DAM Forensics

The Background Activity Moderator (BAM) represents a key Windows execution artifact of significant forensic value, frequently examined in conjunction with the Desktop Activity Moderator (DAM) owing to their closely aligned telemetry and data structures.

BAM was first introduced in Windows 10 build 1709 (Fall Creators Update) and persists in the overwhelming majority of contemporary Windows 10 and Windows 11 deployments. Operating under user context, it records the full executable path along with the last execution timestamp, typically stored in FILETIME format. The primary registry location is HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}, with analogous structures for DAM.

Microsoft designates DAM as a core element of the Modern Standby (S0 Low-Power Idle) power management architecture. This framework enables the suspension and throttling of desktop application activity to extend battery life on compatible hardware while permitting background processes to maintain limited functionality—mirroring the behavior of mobile operating systems during screen-off states. Modern Standby support is hardware-dependent and is largely confined to ultra-portable laptops and tablet-class devices; it is unavailable or minimally implemented on many traditional desktop and workstation systems. Consequently, DAM population tends to be more robust on Modern Standby-capable platforms and may be sparse or absent on standard desktops.

Both BAM and DAM keys generate comparable execution metadata when active, furnishing digital forensics practitioners with reliable indicators of program activity. Registry updates are commonly flushed or synchronized during boot sequences or specific system events rather than in true real-time for every execution.

Empirical analysis by Maxim Suhanov has documented that BAM entries are subject to automated pruning after approximately seven days of inactivity. Windows Store (UWP/modern) applications are typically exempted from this routine cleanup operation and demonstrate substantially longer retention periods. Additional nuances include the purging of BAM records associated with deleted executables upon the subsequent system reboot. Importantly, no BAM entries are created for binaries executed from network shares or removable media, a limitation that examiners must account for during timeline reconstruction and artifact correlation.

These characteristics—combined with the retention policies, hardware dependencies, and environmental constraints—position BAM and DAM as valuable corroborative artifacts for establishing recent program execution. They are routinely cross-referenced with other execution evidence sources such as Prefetch, ShimCache, Amcache, and SRUM in comprehensive forensic examinations.

In the above, the Background Activity Moderator (BAM) key yields compelling evidence of program execution. Registry Explorer (or equivalent hive analysis tools) surfaces the full executable paths alongside the last execution timestamps for each entry, with temporal data stored as 64-bit Windows FILETIME values within the respective value data. Observed artifacts include executed applications such as Windows Explorer, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, WinRAR, and Kape.

It is noteworthy that, although the BAM and DAM keys reside within the Windows System registry hive, the underlying data is scoped to individual user profiles through the associated Security Identifier (SID). Forensic researchers have documented temporal discrepancies in these timestamps, which may deviate by up to several minutes from actual execution events. Consistent with best practices in digital forensics, findings derived from BAM/DAM should be systematically cross-referenced against complementary execution artifacts—such as Prefetch, UserAssist, ShimCache, Amcache, and SRUM—to construct a more accurate, corroborated timeline of activity.

Why Are BAM/DAM Important in Digital Forensics?

1. Persistence After Deletion: BAM can preserve evidence of program execution even after an application has been deleted from the system. However, entries associated with deleted executables are typically purged during the subsequent system reboot (in addition to the standard ~7-day inactivity cleanup).
2. Malware and Suspicious Execution Tracking: BAM/DAM entries can provide valuable evidence of when and where a binary was executed (full path + last execution timestamp). This is particularly useful for identifying malware or unauthorized tools. Important limitation: No entries are created for executables running from removable media (e.g., USB drives) or network shares.
3. User Activity Reconstruction: Analysts can leverage these artifacts to determine which programs were executed under a specific user context (via SID), when they were last run, and to identify potentially unauthorized or anomalous applications. While BAM primarily tracks execution rather than direct user interaction (e.g., GUI clicks), it serves as a strong indicator of program usage, especially when correlated with artifacts like UserAssist, Prefetch, or SRUM.

Additional Context for Forensic Practitioners

• Retention is generally limited to approximately seven days of inactivity for most entries, though UWP/Modern apps are often exempted and persist longer.
• Data is user-specific (tied to SIDs) despite residing in the System hive.
• Timestamp accuracy may vary by several minutes from actual execution events.
• Always corroborate BAM/DAM findings with complementary execution artifacts for a defensible timeline.

This makes BAM/DAM a high-value, quick-reference artifact for recent execution history in Windows 10/11 investigations.