Skip to content

OS Artifacts

OS Artifacts

Why OS Artifacts Are Valuable

• Automatically generated with minimal/no direct user control
• Stored in locations unknown to users or difficult to disable
• Not easily hidden or removed by typical users
• Absence may indicate anti-forensic activity (RED FLAG)
• Even if destroyed, OS stores records of the wiping software usage in Event Logs and Registry

Establishing File Transfer Evidence Sequence

🧩 Situation:

Suspect connected a USB drive, copied a file to the system, opened it, modified it, and copied it back to the USB drive. You need to establish this sequence of events.

🔍 What to Look For (Artifacts):

1. USB Connection

  • Location: Registry entries
  • What it reveals: Which USB was connected, connection time, last connection time
  • When to use: To establish the starting point of the incident timeline

2. File Creation/Copy Time

  • What it reveals: When file appeared on the system (e.g., 11:01 AM if USB connected at 11:00 AM)
  • When to use: To prove file transfer from USB to system

3. LNK Files

  • Location: System folders, visible in Autopsy
  • What it reveals: Evidence that a document was opened, even if later deleted
  • When to use: To prove file was accessed; .lnk entry persists even after file deletion
  • Why important: System-created evidence, very difficult to erase

4. User Assist

  • Location: System Artifacts → User Assist (in Magnet Axiom)
  • What it reveals: All GUI-based executions (files opened by double-clicking)
  • When to use: To prove applications or files were opened using GUI (not command line)

5. Jump Lists

  • Location: Stored in registries
  • What it reveals: Recently opened files in applications (visible when right-clicking taskbar icons)
  • When to use: To show recent file access through specific applications

6. Shell Bags

  • Location: Registry entries
  • What it reveals: Folder layout preferences; proves folder or file existed
  • When to use: To establish that a specific folder structure existed on the system

7. Prefetch

  • Location: Prefetch folder

  • What it reveals: Which DLLs and resources were used in first 10 seconds of application execution

  • When to use: To prove an application was executed and achieve better timeline accuracy

⚙️ Steps:

  1. Check registry for USB connection time (e.g., 11:00 AM)
  2. Identify file creation time on system (e.g., 11:01 AM)
  3. Locate .lnk entry showing file was opened
  4. Check User Assist for GUI-based file opening evidence
  5. Correlate timestamps to establish sequence
  6. Use Jump Lists and Shell Bags as supporting evidence

🧠 Why This Works:

OS artefacts are created automatically by Windows to improve efficiency, not for forensics . This makes them reliable evidence since they're system-generated and difficult for suspects to manipulate . Combining multiple artefacts with timestamps creates a strong evidence chain