On Windows operating systems event logs store a lot of useful information about the system, users, activities and applications. The main purpose of event logs is to provide information to administrators and they structured in five levels (information, warning, error, critical, success/failure audit), by default three channels (Security, Application and System). In terms of forensic analysis, this is a valuable source ...
Read MoreWindows operating system stores network configuration details in the registry. There are registry keys for TCP/IP configuration and network interface/adapter details. Those are important for a digital forensic investigation. By analyzing these regisrty keys, we can collect IP address(es) of the interface(s), DNS, DHCP details and many more ...
Read MoreBAM is a Windows service that controls activity of background applications. BAM is a driver which runs at kernel mode. Its default path is " %WinDir%\system32\drivers\bam.sys ". It is a part of Window 10 operating systems. BAM becomes a part of Windows with the version 1709. ...
Read MoreWindows Management Instrumentation (WMI) is the infrastructure for management of data and administrative operations on Windows operating systems. WMI contains a vast variety of tools for controlling Windows operating systems locally and remotely. WMI is used especially in enterprise networks ...
Read MoreWindows NTFS stores these transactions in a transaction log called “$LogFile”. In the event of chrash or power failure, the operating system can roll back the changes or continue where it left. Hence, the log file maintains the reliability and recoverability of the file system in the case of critical events.
Read MoreWindows systems include a number of installed and ready to use applications. Among these applications is the Microsoft Paint utility. The recent files accessed by the user via MS Paint are stored in the Registry within the “Recent File List” subkey beneath the “Paint” key ...
Read MoreWindows notifications were first introduced in Windows 8 and continued with Windows 10. The feature provides real-time notifications of a variety of events, such as email alerts, apps updates, security alerts, reminders and other app specific notifications. Windows notifications ...
Read MoreWindows systems have a database where the important operating system and application configurations are maintained. This database is called the Windows Registry, it is made up of keys and values analogous to filesystems’ folders and files respectively. UserAssist is a key ...
Read MoreOperating systems and applications store date and time information in various ways utilizing different timestamp formats. Therefore, one of the first steps in a digital forensic examination is to identify the current time zone settings for the system(s) under investigation ...
Read MoreThe Run utility on Windows Systems enables the user to directly open an application, folder or document. In Windows 10, the Run utility can be accessed by right-clicking on Start > Run or by using the keyboard shortcut Windows Key + R. As seen in the figure below, the Run utility ...
Read MoreAmCache.hve is a Windows system file that is created to store information related to program executions. The artifacts in this file can serve as a huge aid in an investigation, it records the processes recently run on the system and lists the paths of the files executed ...
Read MoreFoxit Reader is a PDF document reader and viewer software similar to Adobe Acrobat Reader, which provides PDF document management solutions. It enables the user to view, edit, comment, sign, print, share, and export PDF files for free with annotations and online ...
Read MoreAdobe Acrobat Reader is part of Adobe family. It is a cross-platform application which enables the user to view, comment, sign, print, share, collect and track feedback of PDF files for free. The software offers a variety of other features such as creating, editing, and exporting ...
Read MoreWindows operating systems record and store a mine of information specific to actions taken by a user account. Among the information tracked is the recent files and folders accessed by the user. Information about the files that were recently opened/saved and the folders that ...
Read MoreOperating systems have the ability to use a portion of the hard drive as a virtual memory when the RAM becomes full. Microsoft Windows uses a paging file, called pagefile.sys to store chunks of data that do not currently fit into the physical memory. Although reading and writing ...
Read MoreA logon banner is a legal piece of writing that a Windows system user sees at the point of entry into a device. It is set manually and contains information about the permitted and appropriate usage of a computer system and its access capabilities that a user must acknowledge ...
Read MoreThe Windows System Resource Usage Monitor (SRUM) was first introduced in Windows 8. SRUM tracks 30 to 60 days of system resource usage, particularly application's resource usage, energy usage, Windows push notifications and network connectivity, and data usage ...
Read MoreThumbCache is a feature in Windows operating systems available starting from Windows Vista, that is used to cache thumbnail images of files for windows explorer view. When you open windows explorer in thumbnail view, the files within the folder are displayed as small ...
Read MoreWindows Recycle Bin was first introduced with Windows 95 and continued until Windows 10. Recycle bin is a temporary storage for the items that have been deleted by the user. The user then has the option to remove the items permanently or recover them in case they were ...
Read MorePowerShell is an object-oriented framework, which consists of a command line shell and scripting language. The shell comes installed by default on every Windows computer and can be installed on Mac and Linux computers. It enables its users to automate administrative ...
Read MoreWindows 10 Timeline was introduced by Microsoft as part of Windows 10 April 2018 Update (Windows 10 version 1803). This feature enables the users to view their currently running apps and look back at their previous activities such as opened documents, programs, images ...
Read MoreWindows stores user accounts and security descriptors for users on the local computer in a file called SAM (Security Account Manager). SAM is a part of a system defined database where configuration data is stored and retrieved. Using cryptographic measures, this file can be ...
Read MoreCortana is a voice-activated digital personal assistant introduced by Microsoft as part of Windows 10 desktop operating systems. Cortana can be used to perform various tasks such as searching the local files or the web, answering simple queries, sending emails and texts ...
Read MoreMicrosoft Office is a set of office/productivity related applications widely used around the world. Microsoft Office includes a variety of applications such as Microsoft Word, Excel, Access and Microsoft PowerPoint. Each application is designed to offer a specific task or service to its ...
Read MoreUSB devices are one of the most widely used storage devices due to their speed, large storage capacity, small size, mobility and more. The advantages of USB devices are indisputable; however, they are also considered as a main security threat to businesses as well as individuals ... Read More
Windows 7/10 stores profiles of wireless networks, to which a system has been connected. ArtiFast can locate and parse this data, extracting information such as the network name and connection time. This artifact provides an investigator with information on wireless networks that ...
Read MoreWindows Search is a desktop search platform that was first introduced by Microsoft in Windows Vista and continued with later versions of Windows (Windows 7, 8 and 10). As indicated in the figure below, the service "provides content indexing, property caching, and search results ...
Read MoreThe Microsoft Remote Desktop Connection (RDC) allows a user to connect and gain access to other Windows systems over a network. It is a built-in application that implements Remote Desktop Protocol (RDP) through Terminal service or Remote Desktop Service to access and control ...
Read MoreTask scheduler is a component of Windows, which provides a service that allows the system to launch computer programs or scripts at preset times. It monitors the trigger condition chosen by the user and executes when it is met. The task triggers can be calendar based or event-based ...
Read MoreAnyDesk is a remote desktop application similar to TeamViewer. The software offers a variety of functionality such as remote access and control, file transfer, and VPN. AnyDesk is available for desktop computers including Windows, macOS, and Linux. It is also available for ...
Read MoreTorch Browser is a web browser and an Internet suite developed by Torch Media. Torch is known for its media grabber, where it provides users with high-speed audio and video downloading capabilities, its built-in Torrent Manager, player, music, tons of free games, and the ...
Read MoreLink Files are Windows shortcut files created automatically by the Windows operating system whenever a user accesses a local or remote file or document. These files, however, can also be created manually by the user. LNK files can point to executables or any other file on the ...
Read MoreThumbs.db files are hidden Windows system files generated in the same directory of each folder on the system. These files are used to cache the thumbnail images that represent the contents within the folders when Windows Explorer is set to the thumbnails or filmstrip view ...
Read MoreJump Lists feature was first introduced with Windows 7 and continued in later versions of Windows systems including Windows 11. The feature is designed to provide the user with quick access to recently accessed application files and common tasks ...
Read MoreVivaldi Web Browser is a cross-platform web browser developed by Vivaldi Technologies. It is best known for being fast, private, and secure as it is capable of blocking ads and trackers. What makes Vivaldi unique is that it comes in with many built-in features, and it puts the user ...
Read MoreIn a digital forensic examination, identifying and collecting general information about the system(s) under investigation is essential. One of the basic information to identify during an examination is the device or computer name. In Windows systems, the computer name is maintained in the System ...
Read MoreWindows 10 Maps is an online mapping client software, where the process is served using geographic information systems on the Internet. Windows 10 Maps was developed by Microsoft Corporation, and it is available for Windows 8/10, Xbox One system software, and Xbox Series X/S ...
Read MoreDespite the advances in technology, the use of paper and printers will not disappear anytime during the foreseeable future. Many sectors and societies still rely heavily on printed documents. That is why it is important to be able to retrieve information related to the printers the system ...
Read MoreEvernote is one of the most popular note taking applications, it provides the users with a synchronized storage service using cloud servers, where they can save and organize their notes, ideas, photos, documents, and data from any device at any time they would need. It supports multiple ...
Read MoreThe Windows Registry maintains a great deal of information regarding system configuration, user activity and so on. Installed Programs artifact is among the useful artifacts extracted from the registry hives. The artifact contains details about the applications installed on the system ...
Read More7-Zip is a free and open-source file archiver program that can compress files, store them in compressed containers called "archives", and can decompress them as well. 7-Zip has its archive format, 7z, with a .7z file extension, but it can also read and write a variety of other formats. 7-Zip was ...
Read MoreWindows Services is a key component of the Windows operating system that allows long-running processes to be created and managed in their own sessions. These services start running in the background usually on system boot without any user interaction and can continue to run long after ...
Read MoreMUI stands for Multilingual User Interface. It is a technology that allows Windows systems to have a single application localized for multiple languages. Developers create an .MUI file for each language supported by the application and these files enable the user to switch the language ...
Read MoreTeamViewer is a software that allows remote access and control of computers and other devices. It is known for being reliable, fast, easily accessible, and for the use of secure digital communication technology. TeamViewer is mainly used in web conferencing and remote administration ...
Read MoreWindows Registry is an essential component of Windows operating systems. It maintains a wealth of information related to the user activity on the system, default settings, configurations and more. The Microsoft\Windows NT\CurrentVersion key within the Software hive is one of the ...
Read MoreWinRAR is a file archiver program. It can combine and compress several files together into one archive file. WinRAR can create and view its archive format RAR, with a .rar file extension, or archives with the ZIP file formats, and can decompress multiple other archive file formats. WinRAR was ...
Read MoreUsers often search for things on their devices through the built-in search capability that comes with their systems. Windows systems maintain a list of the keywords that were searched for on the system in different locations depending on the version in use. In recent versions of Windows ...
Read MoreIn this blog post, we will be solving a challenge designed by Cyber Defenders. Below is the solution to the challenge, solved using ArtiFast Windows. Artifacts Covered in this Challenge, Registry Artifacts: System Information, Wireless Networks, User Accounts, Profiles List ...
Read MoreVMware or Virtual Machine Software is a host workstation that runs on both Windows and Linux operating systems. VMware provides its users with the ability to operate multiple virtual machines on a single physical machine, and each one may run its own operating system ...
Read MoreAll versions of Windows systems include a Registry Editor (regedit.exe). This tool allows users to view the Windows registry and perform various functions within the registry such as creating, modifying and deleting keys, subkeys values and value data. The Last Accessed Key artifact ...
Read MoreSticky Notes is a desktop note-taking application that came with Windows 7, Windows 8, and Windows 10. It’s known for its instant launching as it enables its users to quickly and easily take notes on the post-it notes version of Windows ...
Read MoreTypedURLs is a Windows Registry key that is similar in concept to TypedPaths key. The key records URLs typed or inserted in the Internet Explorer (IE) address bar. URLs that are completed by the browser’s AutoComplete functionality are not recorded in the key unless the website was ...
Read MoreIn this blog post, we will be solving a challenge designed by Cyber Defenders using ArtiFast Windows. In this challenge, a security professional is joining a new company and was assigned a task to demonstrate her technical expertise (full scenario) ...
Read MoreTypedPaths is a Windows Registry key that records the last 25 paths typed or inserted into the path bar of File Explorer (previously known as Windows Explorer). The typed paths, however, do not appear instantly within the TypedPaths key. The user has to close the File Explorer window ...
Read MoreCalendar is a built-in Windows application developed by Microsoft. Calendar helps users in managing their schedules, meetings, reminders, appointments, and different types of events. It also enables the synchronization of calendars using Microsoft Exchange Server, Outlook, Apple's iCloud ...
Read MoreMailboxes make an essential part of our lives since it is considered one of the most important methods of communication in the 21st century. In accordance, the forensics of mailboxes is a crucial part of digital forensics. Forensic searches are carried out to investigate and find any leads ...
Read MoreChrome is an open-source web browser developed by Google. Chrome Web browser is known for its fast performance, security, and privacy. The web browser is available for desktop (Windows, macOS, Linux, OpenBSD,FreeBSD and Fuchsia) and mobile devices (Android and iOS) ...
Read MoreMozilla Thunderbird was developed by the Mozilla Foundation as an open-source cross-platform email application that provides personal information management, news client, chat client and RSS feed. Thunderbird was designed to adopt the style of Mozilla's Firefox web browser ...
Read MoreOpera is a multi-platform web browser developed by Opera Software. Opera Web browser is known for its small size, speed and stability. The web browser is available for desktop (Windows, macOS, and Linux) and mobile devices (Android and iOS) ...
Read MoreMicrosoft Windows tracks and records user's view settings and preferences while exploring folders. These view settings (size, view mode, position, etc.) of a folder window are stored in Shellbags registry keys. Shellbags keep track of the view settings of a folder window once the folder has been viewed ...
Read MoreFacebook Messenger is an Instant Messaging (IM) service, and it ranks second among the most popular social network platforms. With more than one billion daily active users on average, it is a rich platform for investigators ...
Read MoreFirefox is an open-source web browser that was developed by Mozilla. Firefox is known and praised for its security and privacy-concerned approach. The web browser is available for desktop (Windows, macOS and Linux) and for mobile devices (Android and iOS) ...
Read MoreIn this blog post, we will be solving a challenge designed by Cyber Defenders using ArtiFast Windows. The purpose of this challenge is to analyze the disk image acquired from the suspect’s laptop to determine whether the person in question was performing illegal activities (scenario) ...
Read MoreSignal is a cross-platform messaging application which enables users to send and receive one-to-one and group messages including texts, voice notes, files, photos, videos, and make voice and video calls. Signal was released initially in July 2014 and has become one of the most popular instant messaging applications ...
Read MoreGoogle Drive is a service developed by Google for file storage and synchronization. Launched in April 2012, Google Drive helps users to store files, synchronize files between computers, and exchange files on their servers. Moreover, Google Drive offers offline capabilities a part of the Google Docs Editors office suite ...
Read MoreLastVisitedMRU is a Windows registry key that tracks the applications used to open or save files that are documented in the OpenSaveMRU key. The key also tracks the location of the last file that was accessed (opened or saved) by that application. This is how "Open"/"Save As" Windows shell dialog box keep track of the ...
Read MoreOpenSaveMRU is a Windows registry key that tracks files that have been accessed by any application through the "Open" or "Save As" Windows shell dialog box. This key differs slightly between Windows XP and Windows Vista and beyond (OpenSaveMRU on Windows XP and 2003; OpenSavePidMRU on Vista through Windows 10 systems) ...
Read MoreBrave is an open-source web browser developed by Brave Software. Brave web browser is known for its fast performance, security, and privacy. The web browser is available for desktop (Windows and macOS) and mobile devices (Android and iOS) ...
Read MoreIn this blog post, we will be solving another challenge designed by Cyber Defenders using the full version of ArtiFast Windows. In this case, an attacker has compromised an organization’s web server through their website. The purpose of this challenge is to analyze the image provided and specify how the breach occurred and to ...
Read MoreOneDrive is a file hosting service that offers cloud storage, file synchronization, personal cloud, and client software. OneDrive brings files together in one place by creating a special folder on the user's computer. The contents of these directories are synchronized to the servers of OneDrive and other computers and systems ...
Read MoreUC Browser is a web browser developed by mobile internet company UCWeb. UC Browser is known for providing a fast, secure, video streaming, high-speed downloads, and an ad-free browsing experience. It is an easy-to-use and simple web browser. It is available for desktop (Windows and macOS) and mobile devices (Android and iOS) ...
Read MoreZoom is one of the leading cloud-based video conferencing and messaging software. The video telephony software allows multiple participants to communicate concurrently. Its popularity spiked during the COVID-I9 pandemic period of 2019-2020 by gathering the interest of people on both personal and business levels. It is used by banks, schools ...
Read MoreWhatsApp is a cross-platform application owned by Facebook. The platform supports sending and receiving text and voice messages, photos, documents, videos, and locations. WhatsApp provides all these features along with voice and video calls for one-to-one chats and group chats.
Read MoreSkype is a software that allows users to communicate with one another and is used by millions of individuals and companies to make free video and voice one-to-one and group calls, send instant messages, and exchange files with others. Skype can be used in laptops, mobile devices, or tablets and available for Microsoft Windows, Apple macOS, and ...
Read MoreWindows Update log is a log or record of all notable changes made to a Windows system. Every detail of each update implemented by the Windows Update service is recorded by the Windows System. If anti-malware software is installed, the history of its updates is also recorded. Any third-party software built on the device can also capture ...
Read MoreWindows Photos is an image organizer, graphic editor, and video editor by Microsoft. In Windows 8, it was originally released as a better alternative for Windows Photo Viewer. It has integrated Microsoft Sway where selected photographs can also be used as a source for generating a Sway project. In Windows Photos, users can also share ...
Read MoreIn this blog post, we will be solving a challenge designed by Cyber Defenders using the full version of ArtiFast Windows. In this case, the SOC team detected an illegal port scanning activity coming from a disgruntled employee's system who might be getting help from an outsider (full scenario). The purpose of this challenge is to ...
Read MoreArtiFast Lite is the free version of ArtiFast. This version of ArtiFast does not require license and it enables users to parse and analyze a subset of Windows artifacts ...
Read MoreBox Sync is a productivity platform that helps mirror Box-saved data to the user’s desktop. Without using a web browser, the user can access and change the content stored on the Box website via the native file browsing interface. Offline connectivity is required for content that synchronizes with the user’s computer.
Read MoreBox is a cloud computing service that offers file sharing, collaboration, and cloud storage. In addition, it allows users to share information with other users and manage content across devices. Box was founded in 2005 and is available in several platforms such as for Windows, macOS, and several mobile platforms.
Read MorePrefetch is a Microsoft Windows feature that first appeared in Windows XP. It is a Memory Manager component that can speed up the Windows boot process and reduce the time it takes for programs to start up. It achieves this by storing files required by an application in RAM as soon as the application is launched, thereby reducing disk seeks and consolidating ...
Read MoreMicrosoft Edge is a cross-platform web browser developed by Microsoft. It is known for its high speed, improved security, reading mode, tracking prevention, lightweight. It is also known for providing an organized and easy environment for its users with the integrated Microsoft 365 and Collections feature. The web browser is available for desktop ...
Read MoreMicrosoft Edge web browser, currently known as Microsoft Edge Legacy, is an EdgeHTML-based browser developed by Microsoft. EdgeHTML is a software browser engine that was first introduced as rendering engine part of Internet Explorer 11. Then, it was used in the project Spartan web browser and was later named Microsoft Edge. Microsoft Edge Windows ...
Read MoreiCloud is an Apple Inc. cloud management and cloud computing application launched in October 2011. iCloud allows users to store, share, and send data, files, and documents among users and devices. iCloud is available for Windows, iOS, and macOS devices. In addition, iCloud wirelessly backs up iOS devices directly to iCloud. By connecting accounts via AirDrop ...
Read MoreClubhouse is the new hot social media platform that is gaining a ton of traction. The app was launched in April 2020, however, the app found popularity due to the recent appearances of celebrities and public figures such as Elon Musk. Clubhouse is an audio-only social media app; there are no texts, pictures or videos. Users gather in virtual audio chat “rooms” ...
Read MoreDropbox is a file hosting service founded in 2007 that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox brings files together in one place by creating a special folder on the user's computer. The contents of these directories are synchronized to the servers of Dropbox and other computers and systems where Dropbox has ...
Read MoreInternet Explorer is a web browser developed by Microsoft Corporation. It is one of the most known browsers as it was the default web browser for Windows devices from 1995 till January 2015. The Internet Explorer project was started in 1994 as part of an Internet Jumpstart Kit then over time it has gradually developed till reached its latest version Internet ...
Read MoreVLC Media Player (VideoLAN Client) has been developed by the VideoLAN community as a free and open source, lightweight, cross-platform media player app, and streaming media server. VLC is available for Linux, iOS, iPadOS, Tizen, Windows 10 Mobile, Windows Phone desktop operating systems, and mobile platforms. VLC accepts many types of audio and video ...
Read MoreWindows Terminal is a modern terminal program for command line and shell users, such as Command Prompt, PowerShell, and Linux Windows Subsystem (WSL). Multiple windows, panes, support for Unicode and UTF-8 characters, a GPU accelerated text rendering engine and the ability to build your own themes and configure text, colors, backgrounds, and shortcuts ...
Read MoreNational Institute of Standards and Technology (NIST) provides DFIR challenges to help people learn about various types of challenges and the techniques that can be used to solve them. This challenge provides the following scenario. It is a data leakage case where we are ...
Read MoreNational Institute of Standards and Technology (NIST) provides DFIR challenges to help people learn about various types of challenges and the techniques that can be used to solve them. This challenge provides the following scenario. It is a data leakage case where we are ...
Read MoreDiscord is very popular among gamers for its user-friendly features, high performance and ease of use. It has generated so much praise that even if you are not a "true gamer," you might be familiar with the platform. Although Discord was initially centered around games and gamers ...
Read MoreViber PC is a Japanese corporation Rakuten's that provides cross-platform voice-over IP (VoIP) and instant messaging (IM) web service. Viber PC allows users to send any kind of message such as text, video, contact info, and audio, and to exchange and share data with other ...
Read MoreNational Institute of Standards and Technology (NIST) provides DFIR challenges to help people learn about various types of challenges and the techniques that can be used to solve them. This challenge provides the following scenario. This challenge requires we analyze a drive ...
Read MoreMicrosoft Outlook Express is a discontinued Internet-based email program developed by Microsoft Corporation. Outlook Express was part of Internet Explorer in its earlier versions then later to be available as a standalone software. Outlook Express was intended for home ...
Read MoreIn this blog post, we will be solving a challenge designed by info-sec.box using ArtiFast Windows. The purpose of this challenge is to analyze an image acquired from a lost flash drive to find the flag (challenge). Below is the solution to the challenge, solved using ArtiFast ...
Read MoreMessenger Plus! is an add-on for Windows Live Messenger and Skype. It was released in May 2001 and provides instant messaging, custom status tags, event and chat logging, auto replies, and the user’s contacts statistics. Messenger Plus! can be used in laptops, mobile devices ...
Read MoreMicrosoft Messaging is an instant messaging platform in Windows 8, Windows 10, and Windows 10 mobile environments. It provides messaging and voice/video calling services. SMS, MMS, and RCS messaging are all supported on the web edition. SMS messages sent via Skype and billing ...
Read MoreSocial networking applications are essential in today's world. They bypass physical and social boundaries shaping the way people communicate with each other. Twitter is one of the most popular online social networking apps. It is available for installation on the desktop ...
Read MoreMessenger Plus! is an add-on for Windows Live Messenger and Skype. It was released in May 2001 and provides instant messaging, custom status tags, event and chat logging, auto replies, and the user’s contacts statistics. Messenger Plus! can be used in laptops, mobile devices ...
Read More