Digital Forensics

Artifact locations - Digital Forensics

The Artifact Locations - Digital Forensics article provides an overview of critical locations and types of digital artifacts that forensic investigators examine during investigations. These artifacts include system logs, registry entries, temporary files, browser history, and network connections. The article discusses how these artifacts can provide insights into user activities, system events, and potential security breaches. It emphasizes the importance of understanding where and how digital evidence is stored across various devices and operating systems to effectively uncover and analyze relevant data during a forensic investigation.

2 min read
Digital Forensics Artifacts Repository

Digital Forensics Artifacts Repository

Installation instructions for Digital Forensics Artifacts Repository

pip

Note that pip outside virtualenv is not recommended since it ignores your system’s package manager. This is not your option if you aren’t comfortable debugging package installation issues.

Create and activate a virtualenv:

    virtualenv artifactsenv
    cd artifactsenv
    source ./bin/activate

Upgrade pip and install Forensics Artifacts dependencies:

    pip install --upgrade pip
    pip install artifacts

To deactivate the virtualenv run:

    deactivate

Ubuntu 18.04 and 20.04 LTS

To install Forensics Artifacts from the GIFT Personal Package Archive (PPA):

    sudo add-apt-repository ppa:gift/stable

Update and install Forensics Artifacts:

    sudo apt-get update
    sudo apt-get install python3-artifacts

Windows

The l2tbinaries contains the necessary packages for running Forensics Artifacts. l2tbinaries provides the following branches:

  • main; branch intended for the “packaged release” of Forensics Artifacts and dependencies;

  • dev; branch intended for the “development release” of Forensics Artifacts;

  • testing; branch intended for testing newly created packages.

The l2tdevtools project provides an update script to ease the process of keeping the dependencies up to date.

The script requires pywin32 and Python WMI.

To install the release versions of the dependencies run:

    set PYTHONPATH=.
    C:\Python38\python.exe tools\update.py --preset artifacts

Artifact locations

For a variety of operating systems, there are a number of forensic artifacts that are known.

Given the common YAML format, many of them are covered on the Digital Forensics Artifact Repositorym and can be ingested by both people and machines.

ForensicArtifacts

Parsing this for items of interest and then immediately spitting out areas for the study is one thing you can do. For instance, you may directly query this if you have the PowerShell ConvertFrom-Yaml module.

Get an object of forensic artifacts

$WindowsArtifacts=$(curl https://raw.githubusercontent.com/ForensicArtifacts/artifacts/master/data/windows.yaml)
$obj = ConvertFrom-Yaml $WindowsArtifacts.Content -AllDocuments

Now that it is in a format we can use, the information below will be visible at a glance.

    $count=0;
    foreach ($Artifact in $obj){
    $Artifacts = [pscustomobject][ordered]@{
    Name = $obj.name[$count]
    Description = $obj.doc[$count]
    References = $obj.urls[$count]
    Attributes = $obj.sources.attributes[$count]
    }
    
    $count++;
    $Artifacts | FL;
    }

Query object for relevant registry keys:

    $obj.sources.attributes.keys|Select-String "HKEY"
    $obj.sources.attributes.key_value_pairs

Query object for relevant file paths:

    $obj.sources.attributes.paths

To be continue…

Subscribe to my newsletter

Receive my case study and the latest articles on my WhatsApp Channel.