(EN) PCA - Forensic Cheatsheet

## Introduction Remember the day when Windows 11 was announced. Many forensic investigators and analysts were counting for a new Windows artifact. However, the reality was cold as ice. An eminent analyst “Eric Zimmerman” twitted a message shown in the next image. ![[IMG_9324.jpeg]] There was no changes in the artifact. In the meanwhile few months later there was a article that a new type of windows artifact which shows the trace of a file being executed compatible in Windows 11 was found. The name of artifact is PCA. Today we will discuss about this artifact. > [!info] New Windows 11 Pro (22H2) Evidence of Execution Artifact! - AboutDFIR - The Definitive Compendium Project > > By: Andrew Rathbun and Lucas Gonzalez Background In the last week of December 2022, on the Digital Forensics Discord Server, some discussion was brought up by a member in the \#computer-forensics channel asking if anyone knew a Windows 11 folder path of interest, linked here. > [https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/](https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/) ## Path PCA is saved in the following path. Consisted of 3 files, we will go through role of each files. ``` C:\Windows\appcompat\pca ㄴ PcaAppLaunchDic.txt ㄴ PcaGeneralDb0.txt ㄴ PcaGeneralDb1.txt ``` ## Data In the introduction, it was not enough to know what is a PCA function. So before we dig in the data that PCA has. PCA is a function that was used until Windows 8 which is an abbreviation of Program Compatibility Assistant. Its questioning why PCA was known when WIndows 11 was introduced. And PCA functions gives identical results from Windows 8 to Windows 11. PCA is easy to handle the data because PCA has text format unlike other artifacts that dealt in other articles was consisted of hex structures. Text contents are logs similar with files found in Linux servers. ### PcaAppLaunchDic.txt ``` [Process Name] | [Execution Time] ``` Do you see how simple it is? The name of the process is written with the execution time. The time value technically the time when the process has started. And the time is saved in the file when the process is terminated. It could be kind of confusing. For those who doesn’t get how PCA handles its data, seeing is worth hearing about it. The original gif is from where PCA was initially introduced. If you like to read the original article, you may visit the link given above. ![[Untitled.gif]] ### PcaGeneralDb[%d].txt ``` [Execution Time] | [Status] | [Execution Path] | [Alias] | [Manufacturer] | [Version] | [ProgramID] | [ExitCode] ``` As you can see, `PcaGeneralDb0.txt` has much more data than `AppLaunchdic.txt`. The numbering convention seems to be used when previous file has exceeded its designated size. Let’s see the sample data given in the referenced article. ``` 2022-05-12 21:32:42.556|2|%USERPROFILE%\appdata\local\githubdesktop\app-2.9.9\resources\app\git\cmd\git.exe|git|the git development community|2.32.0.windows.2|0006ea6a66e62a303f7b974dc4952647a80300000904|Abnormal process exit with code 0x80 ``` ## Conclusion It feels like this articles simply summarizes the original article because the main purpose was to inform newly discovered artifact in Windows 11. To make a simple excuse, the original article has researched the artifact “perfectly”. Additionally, the text structure limited the space to investigate other kind of data. For those who have read other articles in this website, PCA seems alike with [[(EN) Prefetch & Superfetch]]. Although prefetch needs preprocess process, PCA can be seen just like a log. This trait makes investigators expect the availability of it.