-
In Win10 v1809 & v1903, BAM stopped updating "\bam\UserSettings" (old entries may still be found there) and now updates "bam\ State \UserSettings". These powershell scripts get the data from the new location:
bam.ps1 (parses both locations)
bamoffline1.ps1 (parses both locations)
bam1809.ps1
bamoffline1809.ps1
-
BAMparser.ps1 - PowerShell script by Matthew Green (original is here) for live parsing of the BAM service key:
-
bam.ps1 - Modification of the above script to get the results in a pop-up Window with Filestamps in both UTC and user's locatime
User can select all lines (Ctrl+A) or specific lines (Ctrl+click) and copy/paste (Ctrl+C and Ctrl+V) the data to a text file or MS Excel spreadsheet. The Selected lines are also displayed in the console after the user presses the OK button.
-
bam1.ps1 - 2nd Modification of the above script - This one is like bam.ps1 but includes separate filename & path and 3 different dates: UTC, localtime and calculated user time (utc +- the Active Time Bias. Information on the Timezone, Daylight savings and Active time bias are in the header:
-
bamoffline.ps1 - Offline parser reads an offline system hive (SYSTEM) and displays the BAM key entries in a pop-up Window with Filestamps in UTC and the SYSTEM hive's timezone (calculated from the ActiveTimeBias). It can also read SYSTEM hives directly from FTK image mounted logical drives. Note: must be run in a PowerShell console with Administrator privileges. The script asks the user to select a SYSTEM hive file:
Calculates the SHA256 hash of the SYSTEM hive file and opens it (Read Only). The results are shown in a popup window with Filestamp in user localtime. User can select all lines (Ctrl+A) or specific lines (Ctrl+click) and copy/paste (Ctrl+C and Ctrl+V) the data to a text file or MS Excel spreadsheet. The Selected lines are also displayed in the console after the user presses the OK button.
After the result window is closed (user presses the OK button), a new SHA256 hash of the SYSTEM hive file is calculated and checked against the original:
-
bamoffline1.ps1 - Offline parser is similar to the above except that it includes separate filename & path and 3 different dates: Examiner local time, UTC, and calculated user time (utc +- the Active Time Bias. Information on the Timezone, Daylight savings and Active time bias are in the header:
console example:
-
Documentation of the Background Activity Moderator service key (pdf)
Other References:
Status
- [x] Live Parser
- [x] Offline SYSTEM hive parser