Data Leak Challenge Using ArtiFast Lite

02/03/2021 Tuesday

National Institute of Standards and Technology (NIST) provides DFIR challenges to help people learn about various types of challenges and the techniques that can be used to solve them. This challenge provides the following scenario. It is a data leakage case where we are required to find evidence of the offense and any data that the suspect might have generated. Below is the solution to the challenge, solved using the Lite version of ArtiFast.

1. List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService?

Answer: informant, admin11, ITechTeam, and Temporary.
The answer is in the User Accounts Artifact.

2. Who was the last user to logon into PC?

Answer: informant

3. What websites were the suspect accessing?

We can check Chrome history.

4. List all search keywords using web browsers.

I have used Chrome Search Term to list the keywords.

5. Where is the e-mail file located?

Answer: C:\Users\informant\AppData\Local\Microsoft\Outlook\iaman.informant@nist.gov.ost

6. List external storage devices attached to PC.

I have used USB Artifact.

7. List all directories that were traversed in "RM#2".

Answer: Shellbags