Artifact locations - Digital Forensics
The Artifact Locations - Digital Forensics article provides an overview of critical locations and types of digital artifacts that forensic investigators examine during investigations. These artifacts include system logs, registry entries, temporary files, browser history, and network connections. The article discusses how these artifacts can provide insights into user activities, system events, and potential security breaches. It emphasizes the importance of understanding where and how digital evidence is stored across various devices and operating systems to effectively uncover and analyze relevant data during a forensic investigation.
![Digital Forensics Artifacts Repository](/_astro/artifacts.8bb5ebcf_eIbf.webp)
Installation instructions for Digital Forensics Artifacts Repository
pip
Note that pip outside virtualenv is not recommended since it ignores your system’s package manager. This is not your option if you aren’t comfortable debugging package installation issues.
Create and activate a virtualenv:
virtualenv artifactsenv
cd artifactsenv
source ./bin/activate
Upgrade pip and install Forensics Artifacts dependencies:
pip install --upgrade pip
pip install artifacts
To deactivate the virtualenv run:
deactivate
Ubuntu 18.04 and 20.04 LTS
To install Forensics Artifacts from the GIFT Personal Package Archive (PPA):
sudo add-apt-repository ppa:gift/stable
Update and install Forensics Artifacts:
sudo apt-get update
sudo apt-get install python3-artifacts
Windows
The l2tbinaries contains the necessary packages for running Forensics Artifacts. l2tbinaries provides the following branches:
-
main; branch intended for the “packaged release” of Forensics Artifacts and dependencies;
-
dev; branch intended for the “development release” of Forensics Artifacts;
-
testing; branch intended for testing newly created packages.
The l2tdevtools project provides an update script to ease the process of keeping the dependencies up to date.
The script requires pywin32 and Python WMI.
To install the release versions of the dependencies run:
set PYTHONPATH=.
C:\Python38\python.exe tools\update.py --preset artifacts
Artifact locations
For a variety of operating systems, there are a number of forensic artifacts that are known.
Given the common YAML format, many of them are covered on the Digital Forensics Artifact Repositorym and can be ingested by both people and machines.
Parsing this for items of interest and then immediately spitting out areas for the study is one thing you can do. For instance, you may directly query this if you have the PowerShell ConvertFrom-Yaml module.
Get an object of forensic artifacts
$WindowsArtifacts=$(curl https://raw.githubusercontent.com/ForensicArtifacts/artifacts/master/data/windows.yaml)
$obj = ConvertFrom-Yaml $WindowsArtifacts.Content -AllDocuments
Now that it is in a format we can use, the information below will be visible at a glance.
$count=0;
foreach ($Artifact in $obj){
$Artifacts = [pscustomobject][ordered]@{
Name = $obj.name[$count]
Description = $obj.doc[$count]
References = $obj.urls[$count]
Attributes = $obj.sources.attributes[$count]
}
$count++;
$Artifacts | FL;
}
Query object for relevant registry keys:
$obj.sources.attributes.keys|Select-String "HKEY"
$obj.sources.attributes.key_value_pairs
Query object for relevant file paths:
$obj.sources.attributes.paths
To be continue…