Background Intelligent Transfer Service store some information in qmgr.db database located in the sysvol/ProgramData/Microsoft/Network/Downloader/ folder. This database is in ESE format, but with only two table (Files and Job). These column contains a "blob" of data that must be parsed.
This can be used as an evidence of file upload/download and to investigate persistence.
Before windows 10, database has an another format (qmgr.dat)

References related to this artefact

• https://github.com/fireeye/BitsParser (post win10, support carving)
• https://github.com/ANSSI-FR/bits_parser (pre w10, support carving)
• https://cloud.google.com/blog/topics/threat-intelligence/attacker-use-of-windows-background-intelligent-transfer-service/