OS Artifacts¶
OS Artifacts¶
Why OS Artifacts Are Valuable¶
• Automatically generated with minimal/no direct user control
• Stored in locations unknown to users or difficult to disable
• Not easily hidden or removed by typical users
• Absence may indicate anti-forensic activity (RED FLAG)
• Even if destroyed, OS stores records of the wiping software usage in Event Logs and Registry
Establishing File Transfer Evidence Sequence¶
🧩 Situation:
Suspect connected a USB drive, copied a file to the system, opened it, modified it, and copied it back to the USB drive. You need to establish this sequence of events.
🔍 What to Look For (Artifacts):
1. USB Connection
- Location: Registry entries
- What it reveals: Which USB was connected, connection time, last connection time
- When to use: To establish the starting point of the incident timeline
2. File Creation/Copy Time
- What it reveals: When file appeared on the system (e.g., 11:01 AM if USB connected at 11:00 AM)
- When to use: To prove file transfer from USB to system
3. LNK Files
- Location: System folders, visible in Autopsy
- What it reveals: Evidence that a document was opened, even if later deleted
- When to use: To prove file was accessed; .lnk entry persists even after file deletion
- Why important: System-created evidence, very difficult to erase
4. User Assist
- Location: System Artifacts → User Assist (in Magnet Axiom)
- What it reveals: All GUI-based executions (files opened by double-clicking)
- When to use: To prove applications or files were opened using GUI (not command line)
5. Jump Lists
- Location: Stored in registries
- What it reveals: Recently opened files in applications (visible when right-clicking taskbar icons)
- When to use: To show recent file access through specific applications
6. Shell Bags
- Location: Registry entries
- What it reveals: Folder layout preferences; proves folder or file existed
- When to use: To establish that a specific folder structure existed on the system
7. Prefetch
-
Location: Prefetch folder
-
What it reveals: Which DLLs and resources were used in first 10 seconds of application execution
- When to use: To prove an application was executed and achieve better timeline accuracy
⚙️ Steps:
- Check registry for USB connection time (e.g., 11:00 AM)
- Identify file creation time on system (e.g., 11:01 AM)
- Locate .lnk entry showing file was opened
- Check User Assist for GUI-based file opening evidence
- Correlate timestamps to establish sequence
- Use Jump Lists and Shell Bags as supporting evidence
🧠 Why This Works:
OS artefacts are created automatically by Windows to improve efficiency, not for forensics . This makes them reliable evidence since they're system-generated and difficult for suspects to manipulate . Combining multiple artefacts with timestamps creates a strong evidence chain