Goal: See on a sys­tem if some spe­cif­ic exe­cute­able was executed.

• Check prefetch files 
  • See Forensic/Analyze blog post
  • Look into Windows\Prefetch direc­to­ry or cre­ate a access time­line and scan for .pf files.
  • Exam­ple with Win­PrefetchView:
    WinPrefetchView.exe /folder "C:\...\Prefetch" /scomma sorted_by_mtime.csv /sort "Modified Time"
    This cre­ates a CSV file where we can see all exe­cu­tions of all files for which we have extract­ed the .pf files.
  • To see more infor­ma­tion about a spe­cif­ic exe­cu­tion: Take the .pf file an ana­lyze it with PECmd:
    PECmd.exe -f suspect.pf
    This returns a lot of exe­cu­tion information.
• SRUM Sys­tem Resource Usage Monitor 
  • Stores some run­time information
  • In HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions or per­sist­ed on \System32\sru\SRUDB.dat
  • SRUM-DUMP2 or ScrumECmd can be used for analysis