Investigating Computer Name
03/12/2021 Friday
In a digital forensic examination, identifying and collecting general information about the system(s) under investigation is essential. One of the basic information to identify during an examination is the device or computer name. In Windows systems, the computer name is maintained in the System hive within the ComputerName key.
Digital Forensics Value of Computer Name Artifact
During an examination, it is important to include the computer name as part of the overall examination documentation. This information is particularly important when examining multiple systems as it can help in tracking and correlating system(s) under investigation.
Location of Computer Name Artifact
Computer Name artifact is stored within the SYSTEM hive at SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Structure of Computer Name Artifact
The ComputerName key contains two subkeys, ActiveComputerName and ComputerName. Both keys usually store the
same value (computer name). However, the difference between these two keys can be observed when changing the
name of the computer from the control panel. The new name will be stored in the ComputerName key whereas the
ActiveComputername key will contain the old name. After rebooting the computer, ActiveComputerName value
will be updated to the new name as well. Thus, both keys will contain the new name.
Analyzing Computer Name Artifact with ArtiFast Windows
This section discusses how to use ArtiFast Windows to analyze Computer Name artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase,
you can select Computer Name artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Computer Name artifact in ArtiFast Windows.
Computer Name Artifact
- Active Computer Name - Active computer name.
- Computer Name - Current computer name.
- Last Set - Computer name last set date.
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com
