Skip to content
Digital Forensics

Artifact locations - Digital Forensics

The Artifact Locations - Digital Forensics article provides an overview of critical locations and types of digital artifacts that forensic investigators examine during investigations. These artifacts include system logs, registry entries, temporary files, browser history, and network connections. The article discusses how these artifacts can provide insights into user activities, system events, and potential security breaches. It emphasizes the importance of understanding where and how digital evidence is stored across various devices and operating systems to effectively uncover and analyze relevant data during a forensic investigation.

2 min read
Digital Forensics Artifacts Repository

🔍 Artifact Locations - Digital Forensics

Digital forensics relies heavily on identifying, extracting, and analyzing artifacts from various locations within a system. These artifacts provide critical insights into user behavior, system events, and potential breaches.

🛠️ Installation Instructions for Digital Forensics Artifacts Repository

The pip package manager simplifies installation but is best used within a virtual environment.

  1. Create and activate a virtual environment:

    virtualenv artifactsenv
cd artifactsenv
source ./bin/activate

  2. Upgrade pip and install dependencies:

    pip install --upgrade pip
pip install artifacts

  3. Deactivate the virtual environment when done:

    deactivate

On Ubuntu 18.04 and 20.04 LTS

Use the GIFT Personal Package Archive (PPA) for streamlined installation.

  1. Add the GIFT PPA:

    sudo add-apt-repository ppa:gift/stable

  2. Update and install artifacts:

    sudo apt-get update
sudo apt-get install python3-artifacts

On Windows

Leverage the l2tbinaries repository, which contains packages for Forensics Artifacts and dependencies.

  1. Branches available in l2tbinaries:

    • Main: Stable release for production.
    • Dev: Development branch for testing features.
    • Testing: Used for newly created packages.

  2. Prerequisites: Install pywin32 and Python WMI.

  3. Run the update script to install dependencies:

    set PYTHONPATH=.
C:\Python38\python.exe tools\update.py --preset artifacts

📂 Key Artifact Locations

🌍 Windows Artifacts

Windows systems store a wealth of forensic evidence. Some key locations include:

  1. Registry Keys:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  2. Log Files:

    • System Logs: %SystemRoot%\System32\Winevt\Logs
    • Security Logs: %SystemRoot%\Security\Logs

  3. Browser History:

    • Chrome: C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History
    • Edge: C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\Default\History

  4. Prefetch Files:

    • Location: C:\Windows\Prefetch
    • Purpose: Tracks recently executed applications.

🖥️ macOS Artifacts

macOS stores artifacts differently than Windows. Key locations include:

  1. User Activity Logs:

    • ~/Library/Logs
    • /private/var/log/

  2. Keychains:

    • Securely stored credentials: ~/Library/Keychains

  3. System Preferences and Settings:

    • Plist files: ~/Library/Preferences/com.apple.*.plist

  4. Browser Artifacts:

    • Safari: ~/Library/Safari
    • Chrome: ~/Library/Application Support/Google/Chrome/Default

🐧 Linux Artifacts

Linux systems follow a hierarchical file structure, with key artifacts located at:

  1. Log Files:

    • General Logs: /var/log/
    • Authentication Logs: /var/log/auth.log
    • Boot Logs: /var/log/boot.log

  2. User Bash History:

    • Location: ~/.bash_history

  3. System Services:

    • Crontab Jobs: /etc/crontab
    • Running Services: /etc/systemd/system/

📜 Parsing YAML-Based Artifacts

The Digital Forensics Artifact Repository uses a standardized YAML format, making it easier to ingest data programmatically.

  1. Retrieve Artifact Data:

    $WindowsArtifacts = (curl https://raw.githubusercontent.com/ForensicArtifacts/artifacts/master/data/windows.yaml).Content

  2. Parse YAML in PowerShell:

    $obj = ConvertFrom-Yaml $WindowsArtifacts -AllDocuments

  3. Query Registry Keys:

    $obj.sources.attributes.keys | Select-String "HKEY"

  4. Query File Paths:

    $obj.sources.attributes.paths

🔍 Practical Forensic Techniques

  1. Search for Recent Activity: Use system logs to identify the latest activity:

    grep -i "user login" /var/log/auth.log

  2. Identify Suspicious Network Connections:

    netstat -an | grep ESTABLISHED

  3. Analyze Deleted Files (Linux):

    extundelete /dev/sda1 --restore-all

  4. Correlate Timestamps: Cross-check timestamps from logs, file metadata, and registry entries.

🛡️ Best Practices for Artifact Handling

  1. Preserve Evidence: Always use a write-blocker when analyzing storage devices.

  2. Document Actions: Maintain a clear log of all actions performed during the investigation.

  3. Verify Integrity: Use hashing tools like md5sum or shasum to confirm data integrity.

  4. Leverage Automation: Use tools like PowerShell scripts or Python for efficient artifact extraction.

🔗 Additional Resources

Unlock the secrets of digital evidence by mastering artifact locations and analysis techniques. 🕵️‍♂️💻

Share article

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.