Join Us!

Artefact Analyzing ...
Clear all

Artefact Analyzing Procedures  

Active Member

Hello *.*,

in which order do you analyze artefacts after making an image of an evidence hard drive? Lets assume you made an image of a Windows OS notebook. Which artefacts in which order do you search for and analyze them, for example thumbnails databases, AppCompat Cache and others? Do you work with self-made cheat sheets/ tables or is this already integrated into your evidence report?

How do you make sure not to miss or forget about any evidence?

best regards,

Posted : 20/04/2017 7:09 pm
Active Member

It depends on what you're looking for. For me, the most common thing I'm looking for is evidence of inappropriate use/pornography so I start with browser history, images and carved images. Then I'll look at things like recent file history or shell bags to show what they've actually accessed. I don't always look at the thumbnail databases; it depends on what I find. For an HR investigation, I don't need to pull thumbnails if I already have a lot of evidence. In a child abuse case (which I don't deal with), I would probably collect them as a matter of course since additional images are potentially additional charges and I would want to collect any evidence showing that possession of the original images was known. In any case, I always take some time to come up with a plan and ask what types of artifacts will have evidence that is pertinent to my case.

I think cheat sheets are helpful and can help you avoid skipping steps. Still, the question for each artifact is whether that artifact is relevant to the case at hand.

Posted : 20/04/2017 9:03 pm
Junior Member

I have never found it helpful to work through specific artefacts and tick them off; there are too many of them. As in the previous post it depends on the case. If I was to start in one place it would generally be in the user's account see what tools and files they have been accessing.

From then on it is a matter of trying to find a start point, which more often than not comes from good keyword searching.

Another consideration is whether you are looking at a time-specific incident or general behaviours.

I have always found the process much more circular than linear.

About the only things I would regularly do at the start are know what device I am looking at an image of, file signature analysis, OS, user accounts and when the device was last used.

I think only time I worry about missing anything is if I haven't found anything!

Posted : 20/04/2017 9:51 pm
Community Legend

in which order do you analyze artefacts after making an image of an evidence hard drive?

As has been stated already, it really depends on the goals of the investigation. As a consultant, I have a limited amount of time, based on what the client is willing to pay for, to attempt to answer their questions.

Do you work with self-made cheat sheets/ tables or is this already integrated into your evidence report?

I don't start at the report, but I do start with the final product (the report) in mind. Rather than cheat sheets, I use processes based on the category of artifacts (evidence of USB device use, program execution, user activity, etc.) in mind.

How do you make sure not to miss or forget about any evidence?

I tend to not rely on cheat sheets that others produce, but rather my own knowledge and experience, and where possible, combined with the knowledge and experience shared by others. This is why case documentation is so important…no one person has seen everything that there is to see, nor has any one person experienced every variation of what there is to see. By engaging and sharing with each other, through searchable collaboration portals, presentations, etc., we expand each other's knowledge base.

Many times (albeit not 100% of the time), due to the work I do (breach investigations) I will start with a timeline consisting of Windows Event Log, file system, and Registry metadata. This will give me an overview of the salient activity, but also let me see things like, is process tracking enabled, and if so, to what degree (most organizations that enable process tracking do not enable full command line retention…)? Does the system have LANDesk installed? What sources of evidence are there available? Does the system have VSCs enabled?

I usually start with whatever indicators I have…file names, dates and time of activity, anything that will help. The timeline creation process that I use prepends tags to events so that I can look for things within the context of not only when they happened, but what happened "near" those events, as well.

This is then an iterative process that I use to build out a narrative of the activity that occurred, based on the facts, as well as noting the gaps in information.

Being concerned about missing something is important, but too often it leads to paralysis. If you don't have a documented process, you won't ever know if you "missed" something, and without a documented process, it's very easy to forget something. A better question would be, how would you know if you missed something?

Posted : 23/04/2017 5:19 pm
Community Legend

Something else that I think is very important to point out as part of this discussion is the use of the term "analysis".

Far too often, what we call "analysis" is really just a listing of facts, of individual data points, completely out of context. "On this date, this file's record change time was modified…"…okay. So what? What does that mean to the reader, who is expecting you, as the analyst, to fulfill their analysis goals and answer the questions that they have?

Posted : 23/04/2017 5:34 pm