Computer artifacts: Exploring metadata, log files, registry data, and more
Computer artifacts are important. Society is becoming increasingly dependent on digital devices and networks, and every file opened, downloaded, or shared creates a digital footprint on their computer systems, regardless of the operating system.
These footprints encompass a wide variety of digital artifacts including files, logs, and metadata and examining these artifacts can provide insight into what investigators need most: the who, what when, where and how of digital activities.
Although all these questions are important, frequently the “who” becomes critical as we look for “artifacts of attribution”, or something that can put someone at the keyboard at the time of the crime being committed.
The artifact-first based approach can speed up the locating of key evidence. Here are a few of the top computer artifacts to look for when exploring digital evidence from computers.
Top computer artifacts
1. “Computer Artifacts of execution”
These are really several different computer artifacts, and put together, they show that a program or process was indeed run by the user of the device. They are remnants left behind by the execution of programs, scripts, applications, or commands on a computer. Here are some the locations you can find “artifacts of execution”:
LNK files
LNK files are parsed automatically for you in Magnet Axiom, when a user executes an executable file, a corresponding LNK file is created. It contains information such as path to the file and timestamp of execution. In this example, we were searching for evidence of CCleaner.
A more detailed view of the LNK file:
More information on LNK files can be found at: https://www.magnetforensics.com/blog/forensic-analysis-of-lnk-files/
Prefetch files
Prefetch files, another Windows artifact, are generated by Windows to optimize startup time and system performance. For an investigator, they provide a wealth of information about files that have been executed. These files contain run count (number of times the application was run), up to the last eight run times, application timestamp, and file path. For the same CCleaner search, we can locate Prefetch files easily in Axiom.
A more detailed view of the parsed Prefetch file:
More information about Prefetch files can be found here: https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/
Jump List
Jump list—Windows maintains a history of applications accessed by a user, along with the timestamp of when it was last accessed. This artifact can be particularly useful as records in the Jump list can persist even after the files have been deleted from the system. Jump lists also show not which documents were accessed but also which applications were frequently used. The combination of LNK files, prefetch files and Jumplist computer artifacts are powerful to developing a timeline of activities. The Jump List artifact is also parsed in Axiom:
More information about Jump Lists can be found at: Exploring the significance of jump lists in digital forensic examinations – Magnet Forensics
2. “Computer Artifacts of attribution”
These computer artifacts deal with how we attribute a user’s action to what took place on the computer. It is common for an investigator to hear: “How do we prove this user actually conducted this activity?”. Although it can be difficult, Axiom has several features that aid investigators in locating these artifacts of attribution. Here are some of the key locations you can look in Axiom:
Windows User account information
Windows User account information:
The information on the number of Windows users, login count, and Security ID are all helpful in identifying what user conducted an activity.
Log files
Logs, logs, and more logs—looking at Windows log files can be very intimidating, but they can produce some of the most valuable computer artifacts of attribution. Fortunately, Axiom parses some of the most valuable logs into separate categories making them easier to review, sort and locate that critical piece of evidence. From above, we found the Relative Identifier for the user “Selina” was 1001. Looking at the parsed category Windows Event Logs – User Events, we can locate critical logons and the time they took place:
Now we see a treasure trove of information about when this user logged on and off the system. These can be critical to “putting a user at the keyboard.”
More information can be found in this webinar: Log Analysis – Magnet Forensics
Communications artifacts
The use of communications on a computer can also help identify the user. Axiom parses out user accounts, emails, and other communications into artifact categories to locate critical information more efficiently. In this example, we are looking at information regarding a particular media file. If we switch to the timeline view, we can see events that take place around the time a file was interacted with.
In this case, emails were sent from this computer utilizing the user’s email account. Yet another step in proving who was at the keyboard.
Web history
Web history is another parsed category that can also be viewed in the timeline feature to show activity around a particular date and time. It can also be viewed in the artifact category and help identify user specific activities on the computer. This evidence identifies that Chrome was utilized to log into Office, Facebook, and Gmail accounts, which may provide additional association of this device to a particular user.
File embedded metadata
File embedded metadata is descriptive information embedded within digital files. They contain information, such as File attributes, timestamps, authorship, location data and more. This data is not just contained with digital images (EXIF data), but also contained with common documents such as Microsoft Word, Microsoft Excel, and PDF files. Axiom parses out this information into an easily viewed format as part of every file that it can parse metadata from. In this example, the author and date of file creation were embedded in the file as metadata of the PDF.
3. “Computer Artifacts of deletion”
These artifacts can provide critical insight into evidence that individuals may have attempted to conceal or destroy. The methods and extent of data deletion can provide clues to allow for the reconstruction of actions and intent. Fortunately, Axiom parses out many of these artifacts of deletion and places into easy to review categories.
Recycle Bin
Recycle Bin is one of the most commonly used categories for digital forensic examiners. It contains a wealth of information regarding the deletion of a file. When a Windows file is deleted by the user, it is placed into the Recycle Bin. The file is split into two a $I file and $R file. The $I files contains the metadata for the deleted file and $R files contains the file contents. Axiom parses the files into an easy-to-read format:
From these Recycle Bin files, parsed by Axiom, you can see the Security Identifier for the user (Patrick) that deleted the file, the deleted date and time, the original file path and name.
Windows Volume Shadow Copy Service (VSS)
Windows Volume Shadow Copy Service (VSS) creates periodic backups of files. Even if a file is deleted, its previous version may still exist in shadow copies, providing a snapshot before deletion. Axiom can parse these volume shadow copies and display them as normally parsed artifacts. So, it isn’t just one artifact, it is all the artifacts that were chosen to be archived in the volume shadow copy. This gives the investigator the ability to look back in time at what existed on a computer previously, to include files that are now deleted. For example, here is a parsed volume shadow copy in Axiom:
Carved Data/Orphaned Files
Carved Data/Orphaned Files. Deleted files can be gone and not forgotten, at least in the case of digital forensics. In these two categories of files, Axiom can locate, parse and present these “deleted” items for review. Carved/Orphaned files were deleted by the user and/or the system and are no longer in the Recycle Bin. Orphaned files still have an entry within the Master File Table, but the parent directory no longer exists. Therefore, you can recover some of the metadata associated with the file. In this example, Axiom has recovered a significant percentage of the metadata and even the former parent record for the directory it was formerly housed in:
Carved files, however, no longer have associated metadata in the Master File Table. Axiom has searched the disk looking for particular file signatures and then “carved” out the file. This allows for partial or full file recovery, but no associated data as the Master File Table record has been deleted/overwritten. An example of a carved file in Axiom is:
You can see Axiom provides the physical sector where this file was located. As it was a PDF file, we recovered some internal file metadata. The graphic embedded in the PDF file was:
The value of recovery of both types of “deleted” files can be critical to the digital forensic examination. To learn more about the recovery and parsing of “deleted files” watch this webinar.
Conclusion
Artifacts of execution, attribution and deletion are key parts of digital forensic examination to trace and interpret user activities on digital devices. In each of these categories, we looked at a few artifacts that Axiom parses out in a way that is quick to locate and interpret. Artifacts of execution reveal specific actions taken on a system, artifacts of attribution help to connect actions taken to a specific user or device, while artifacts of deletion can offer insights into attempts to obscure or remove evidence. This is only a selection of artifacts critical to digital forensic examination and Axiom’s artifact-based approach organizes the parsed data into easy to find, locate and interpret formats. This will allow for faster location of evidence critical to your case or investigation.
If you want to learn more as an investigator, check out our free portable case training.
In addition, our Justice delivered: That one artifact program highlights cases where specific artifacts were used to close cases. If you have an interesting case that was aided with unique digital artifacts, please don’t hesitate to reach out and tell us about it! We’ll keep you and your agency completely anonymous. Exploring how various types of cases are solved, helps new and old investigators alike, and provides a knowledge base for new ideas when it comes to solving crimes with the help of digital evidence.