So what does it track and where are forensic artifacts located? It tracks events associated with Task Bar, for example, when a user runs an application pinned to it. FeatureUsage artifacts are located in NTUSER.DAT registry file under the following key:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

You can find a few subkeys under this key:

Let's look inside every subkey:

AppBadgeUpdated. This subkey keeps track of badge updates for applications on Task Bar. For example, if you use Telegram and get a new message, you can see a red icon on application's badge with number of new messages. So here we can find application's path and the number of badge updates:

AppLaunch. This subkey logs launches of applications, which are pinned to Task Bar. Of course, not every user pins applications, but if he or she does, you'll have a good amount of digital evidence:

AppSwitched. This subkey logs left clicks on Task Bar applications when a user wants to switch from one to another. This subkey is most interesting from a forensic perspective as it may contain a great number of records, which may be the source of evidence of execution:

ShowJumpView. This subkey tracks right clicks on Task Bar applications. A user may do it, for example, to check or open recent files. This may be an additional artifact pointing to most frequently used applications:

TrayButtonClicked. This subkey tracks left clicks on the following Task Bar items: Clock button, Start button, Notification Center button and Search box. As in previous examples, you can see the number of clicks on each item:

Windows registry has always been a good source of digital evidence, and it's always good to have another useful artifact source it may offer. There are many different sources of evidence of execution, but it's always not enough, because you'll never know where you can find the key artifact at your next forensic examination or incident response engagement.