People who have been following me long enough should know by now how much I love these nitty-gritty details of forensics, the little breadcrumbs that give you critical clues about your ongoing case.
My colleagues Andreas Klaus and Bruno Koehle recently worked on a misconduct case involving an employee suspected of installing a residential proxy on a workstation. There were little traces left, as the relevant software had been purged before the investigation. However, there was one critical hint, an XML task file inside the folder: C:\Windows\System32\Tasks_Migrated. You read that right.
The Tasks_Migrated folder is a system-generated backup and staging directory. It is not a default folder in a clean, fresh Windows installation. Instead, it is created automatically by the Windows upgrade engine (Setup/Migration routines) during a major OS upgrade, such as moving from Windows 10 to Windows 11, or applying a major Windows Feature Update.
Its primary purpose is to safely back up existing Windows Task Scheduler jobs before the OS modifies the system state, ensuring that user-defined and third-party software tasks are not permanently lost if the migration fails or the tasks become incompatible with the new build.
I guess the upgrade process goes something like this:
1) The migration engine duplicates the contents of the live \Tasks folder into \Tasks_Migrated.
2) The engine then attempts to register and import these tasks into the new operating system environment.
3) If a task successfully migrates, it is placed back into the active \Tasks folder and properly linked in the TaskCache registry hive.
4) The Tasks_Migrated folder is left behind. It effectively becomes an inert graveyard of historical scheduled tasks as they existed at the exact moment the upgrade was initiated.
This is purely speculative; I haven't tested it out in a lab. However, isn't it super interesting how many places you can find artifacts that could help you solve your case? That's why I love digital forensics so much :)
