Interpret Artifact Elements

Digital forensics artifact analysis for incident response

Week 4 TOPIC

Digital Forensics Artifacts

Forensic artifacts are traces left behind by user activity, system processes, and malicious actions. SOC analysts interpret these artifacts to reconstruct events, establish timelines, and identify indicators of compromise. Per NIST SP 800-86, digital evidence must be collected systematically and analyzed with validated tools to be admissible and reliable.

Artifact Categories

File System

Created/modified files, timestamps (MACB times), deleted file remnants in unallocated space, file signatures, alternate data streams (ADS). The $MFT on NTFS tracks every file ever created, even after deletion.

Registry (Windows)

Run keys (persistence), services, user activity (MRU lists), USB history (USBSTOR), recently accessed files, typed URLs, network profiles. The Windows Registry is a forensic goldmine -- it records nearly everything.

Network

DNS cache, ARP cache, connection history (netstat output), browser artifacts (history, cookies, cache), firewall logs, proxy logs. Network artifacts are often volatile -- capture them early in IR.

Memory (Volatile)

Running processes, loaded DLLs, open network connections, decrypted data, injected code, clipboard contents. Memory analysis is critical for fileless malware that never touches disk. Captured with tools like WinPMem, DumpIt, or LiME.

Order of Volatility

Always collect the most volatile evidence first. The order (per RFC 3227): (1) CPU registers/cache, (2) RAM, (3) network connections, (4) running processes, (5) disk, (6) remote logging, (7) archival media. Memory disappears when the system is powered off. If you image the disk first, you lose all volatile data. Many modern attacks are memory-only -- if you skip RAM collection, you may find nothing on disk.

Source: Shield House > Operations > IR Forensics Lab Open Forensics Lab

Key Artifact Locations

Windows Forensic Artifacts

ArtifactLocationAnalysis ValueTool
PrefetchC:\Windows\Prefetch\Program execution history with timestamps and run countPECmd (Eric Zimmerman)
Event LogsC:\Windows\System32\winevt\Logs\Security events, logons, process creation, service installsEvent Viewer, EvtxECmd
NTUSER.DATC:\Users\{user}\User registry hive: recent files, typed URLs, search termsRegRipper, Registry Explorer
$MFTC:\$MFTMaster File Table -- all file metadata including deleted filesMFTECmd, analyzeMFT
AmcacheC:\Windows\AppCompat\Programs\Application execution with SHA1 hashes -- proves a file existedAmcacheParser
ShimCacheSYSTEM registry hiveApplication compatibility cache -- execution evidenceAppCompatCacheParser
SRUMC:\Windows\System32\sru\System Resource Usage Monitor -- network usage per app, 30+ daysSrumECmd
Jump Lists%AppData%\Recent\AutomaticDestinations\Files opened by specific applications -- proves user interactionJLECmd
Browser History%LocalAppData%\{Browser}\User Data\URLs visited, downloads, form data, saved passwordsHindsight, DB Browser

Linux Forensic Artifacts

/var/log/ System and application logs /var/log/auth.log Authentication events (SSH logins, sudo usage) /var/log/syslog General system events, kernel messages /var/log/secure Authentication on RHEL/CentOS systems ~/.bash_history User command history (check all users, not just root) /etc/passwd User accounts -- look for recently added users /etc/shadow Password hashes -- check modification date /tmp/ and /dev/shm/ Temporary files (malware staging areas) /proc/ Running process information (volatile) /etc/crontab Scheduled tasks -- common persistence mechanism ~/.ssh/authorized_keys SSH backdoor -- attacker adds their public key /var/spool/cron/ Per-user cron jobs -- check for malicious entries

Windows Event IDs Every SOC Analyst Must Know

Event IDLogMeaningInvestigation Value
4624SecuritySuccessful logonCheck logon type (2=interactive, 3=network, 10=RDP), source IP, account name
4625SecurityFailed logonBrute force detection -- 10+ in 5 min = active attack. Check if followed by 4624
4672SecuritySpecial privileges assignedAdmin logon -- who got elevated access and when? Always accompanies admin 4624
4688SecurityNew process createdCommand line visible (if audit policy enabled). Essential for attack chain reconstruction
4720SecurityUser account createdBackdoor account creation -- was this authorized? Check who created it (SubjectUserName)
4732SecurityMember added to groupPrivilege escalation -- user added to Administrators, Domain Admins, etc.
7045SystemService installedPsExec creates PSEXESVC, malware installs services for persistence
1102SecurityAudit log clearedAnti-forensics -- attacker cleared the security log. This event itself survives the clear
1 (Sysmon)SysmonProcess creationFull command line, parent process, hash -- most valuable artifact for IR
3 (Sysmon)SysmonNetwork connectionWhich process made which connection -- catches C2 callbacks with process context

Artifact Analysis

MACB Timeline Analysis

Forensic timelines combine timestamps from multiple artifacts to reconstruct the sequence of events. NTFS stores four timestamps per file:

Modified (M)

When file content was last changed. Most reliable timestamp -- directly reflects when the file was written to.

Accessed (A)

When file was last read. Least reliable -- Windows disables access time updates by default since Vista for performance.

Changed (C) / MFT Modified

When file metadata (permissions, name, attributes) was last modified. Cannot be set by user-level APIs -- useful for detecting timestomping.

Birth/Created (B)

When the file was originally created on this filesystem. Can be timestomped but the $MFT entry creation time survives.

Reconstructing an Attack from Artifacts

This is a real-world attack reconstruction using multiple artifact sources. Each event is corroborated across at least two sources:

02:17 AM
Event 4624 (Type 10) + Prefetch
Initial Access: RDP logon from 185.234.72.18. Prefetch shows mstsc.exe executed on victim. This is the point of entry -- compromised credentials used for remote access.
02:23 AM
Sysmon Event 1 + Amcache
Execution: powershell.exe -enc [base64] spawned by explorer.exe. Amcache records mimikatz.exe hash matching known credential dumping tool.
02:31 AM
Event 7045 + Registry (NTUSER.DAT)
Persistence: New service "WindowsUpdateHelper" installed. Registry Run key added at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Ensures malware survives reboot.
02:45 AM
Event 4624 (Type 3) on DC + Sysmon Event 3
Lateral Movement: Network logon to Domain Controller with stolen admin credentials. SMB connection from workstation to DC confirmed in Sysmon network events.
03:15-07:00 AM
Sysmon Event 3 + NetFlow + SRUM
Exfiltration: Outbound HTTPS to 103.245.67.89 (known C2). NetFlow shows 2.5 GB transferred over 4 hours. SRUM confirms the process responsible and total bytes.

Hash Analysis and IOC Matching

# Calculate file hashes for IOC matching md5sum suspicious.exe sha256sum suspicious.exe # CRITICAL: Search by hash FIRST, do NOT upload the file VirusTotal: Search by SHA-256 hash (uploading shares the file with all VT subscribers) MalwareBazaar: bazaar.abuse.ch — malware sample repository with YARA rules NIST NSRL: Known-good hash database — if a hash is in NSRL, it's legitimate software AlienVault OTX: Community threat intelligence with hash correlation MISP: Malware Information Sharing Platform — organizational threat sharing
SOC Analyst Tip

Anti-Forensics Awareness: Attackers actively destroy evidence. Common techniques: timestomping (alter file timestamps -- detect by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in $MFT), log clearing (Event ID 1102 proves the Security log was cleared), fileless malware (runs entirely in memory -- requires memory forensics), LOLBins (using built-in Windows tools like PowerShell, certutil, wmic to avoid creating new files). Always corroborate across multiple artifact sources. If an attacker clears Windows logs, Sysmon logs may survive. If local logs are gone, SIEM copies persist.

Forensic Timeline Exercise

A SOC analyst has collected the following forensic artifacts from a compromised workstation. Put them in the correct chronological order to reconstruct the attack timeline. Use the up/down arrows to reorder the events.

Reconstruct the Attack Timeline

These events were found during an incident investigation. Arrange them in the order they occurred (earliest first).

Timeline Analysis Methodology

When building a forensic timeline: (1) Identify the earliest known indicator of compromise, (2) Work forward through execution, persistence, and lateral movement artifacts, (3) Identify the final objective (exfiltration, destruction), (4) Work backward from the initial compromise to identify the initial access vector. Use tools like Plaso/log2timeline to automatically create super-timelines from multiple evidence sources.

Knowledge Check

1. What Windows artifact shows program execution history with timestamps?

2. What does the 'M' in MACB times stand for?

3. Where is user command history stored on Linux?

4. What anti-forensic technique alters file timestamps?

5. Which artifact contains SHA1 hashes of executed applications on Windows?

6. According to RFC 3227, what should be collected FIRST during incident response?

7. Windows Event ID 1102 indicates what critical action?