Chapter 8: Artifacts as Evidence

[AndrewRathbun]

Author: Nisarg12

[nisargsuthar]

I'm almost done with the introduction part, covering the following:

• Types of Artifacts Categorization of User data & System data Difference between E-discovery & Digital Forensics
• What is Parsing? Operating system Computer Data Representation
• Artifact-Evidence Relation Taking artifacts at face value Non-equivalence relation

To Do:

• Examples Registry Prefetch Shellbags Jumplists & LNK files SRUM $MFT $I30 $LogFile hiberfil.sys

[AndrewRathbun]

https://github.com/Digital-Forensics-Discord-Server/CrowdsourcedDFIRBook/blob/main/manuscript/chapter16.txt

all yours ^^

[nisargsuthar]

Made the first pull request. I'll still be adding the sections for every artifact example as I work through it, but for now just wanted to put the introduction part out.

Any ideas and corrections are welcome! :)

[AndrewRathbun]

@Nisarg12 if you make a Leanpub account and share the username with me, I can add you to the book and maybe you can generate preview versions of the book yourself when you make changes to your chapter.

[AndrewRathbun]

@Nisarg12 I think we need to make the files in Resources folder named a certain way, like .\Resources\Chapter16_FileNameHere.png rather than .\Resources\Chapter16\FileNameHere.png. You can see your images aren't showing up in the new preview files generated today.

[nisargsuthar]

@Nisarg12 if you make a Leanpub account and share the username with me, I can add you to the book and maybe you can generate preview versions of the book yourself when you make changes to your chapter.

I did, my username is nisargsuthar you can add me. Also I read that leanpub only allows limited number of previews is that true?

[AndrewRathbun]

Adding you now. I paid for a lifetime subscription so we have unlimited previews :)

[nisargsuthar]

@Nisarg12 I think we need to make the files in Resources folder named a certain way, like .\Resources\Chapter16_FileNameHere.png rather than .\Resources\Chapter16\FileNameHere.png. You can see your images aren't showing up in the new preview files generated today.

Ah okay, that works too. I just saw someone make a folder for Chapter 2 so I thought that's what we're doing. Although it should work, I'll try escaping the whitespace as chapter wise directories are easier to manage! I see you moved them to the base directory, I'll change the text file then!

[AndrewRathbun]

@Nisarg12 we may wanna add a piece about how .pf files are compressed and need to be decompressed to see the actual contents.

Examples: https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Prefetch/Win11/RathbunVM

[nisargsuthar]

@Nisarg12 we may wanna add a piece about how .pf files are compressed and need to be decompressed to see the actual contents.

Examples: https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/Prefetch/Win11/RathbunVM

Thanks for pointing this out, I'll include it in the next edit.

[AndrewRathbun]

Yep np, this is where you'd wanna look when using PECmd:

[nisargsuthar]

Yep np, this is where you'd wanna look when using PECmd:

Although I wonder what's the use of this when all the tools including WinPrefetch and PECmd parse them by default. I've never come across the need to manually examine .pf files, are there any other application that I'm missing? Even partial recovery of prefetch files from unallocated space is useless since it will be missing some encrypted bytes 🤔

[AndrewRathbun]

Yep np, this is where you'd wanna look when using PECmd:

Although I wonder what's the use of this when all the tools including WinPrefetch and PECmd parse them by default. I've never come across the need to manually examine .pf files, are there any other application that I'm missing? Even partial recovery of prefetch files from unallocated space is useless since it will be missing some encrypted bytes 🤔

My main point in bringing all this up is just so people know the nature of prefetch files and the magic tools are doing, so maybe they can replicate the process themselves if they are ever so curious. I'm not saying do a tool walkthrough as that can be done in another venue. But just mentioning that they are compressed might be a value add to be a bit more complete? Thoughts?

[nisargsuthar]

My main point in bringing all this up is just so people know the nature of prefetch files and the magic tools are doing, so maybe they can replicate the process themselves if they are ever so curious. I'm not saying do a tool walkthrough as that can be done in another venue. But just mentioning that they are compressed might be a value add to be a bit more complete? Thoughts?

Yes I'll mention it of course, I just momentarily forgot that it may be useful in manual validation for critical timestamps parsed by the tools. Structures are well documented here.

[nisargsuthar]

TODO: Add a resources section for each example to include whitepapers, research papers and articles, with links and attribution.

[AndrewRathbun]

https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Windows/RegistryHivesOther.tkape

Do you think it's worth mentioning that these registry hives also exist but little is known/has yet been discovered about their forensic relevance?

I think you're fine not mentioning them ultimately since most don't know they exist but just floating the idea in case you thought it would be a good value add.

[nisargsuthar]

Do you think it's worth mentioning that these registry hives also exist but little is known/has yet been discovered about their forensic relevance?

I haven't gotten the time to research on them, if something interesting comes up I'll add it. I just included the most basic ones that give much more information than other nuanced ones. Thanks for this, I only knew about some of them.

[AndrewRathbun]

I've read up to line 119 and did some minor editing, spelling error corrections, etc. I will edit this post as I continue to make progress.

[AndrewRathbun]

Hey there! I'm tentatively setting 7/31/2022 as a milestone for publishing v1.0 of this book. We'll have the title decided in the next couple weeks which will be the first of multiple administrative tasks we'll complete in July. At this point, please let me know if you intend to have at least a working, editable version of your chapter by 7/31/2022.

If not, please know that's perfectly fine. It doesn't mean your chapter won't get published, it just won't get published in v1.0. It'll simply be added when it's ready to be published and I'll push out a new version of the book, (i.e., V1.3, v1.7, etc) with your new content. I hope we have about 10 ready to go by 7/31/2022 so we can push to publish v1.0 shortly thereafter, but I won't know that until I hear from you! So, please let me know!

[nisargsuthar]

Hey there! I'm tentatively setting 7/31/2022 as a milestone for publishing v1.0 of this book. We'll have the title decided in the next couple weeks which will be the first of multiple administrative tasks we'll complete in July. At this point, please let me know if you intend to have at least a working, editable version of your chapter by 7/31/2022.

Yes I'll finish the chapter by then! Only 4 page long sub sections are remaining as of now.

[nisargsuthar]

Yes I'll finish the chapter by then! Only 4 page long sub sections are remaining as of now.

I've merged the first complete draft, you can label this for editing now :D

[AndrewRathbun]

I've done a full pass through the chapter. Really good stuff @Nisarg12!

[AndrewRathbun]

If you've not already, please consider filling out your bio here before the end of the month: https://github.com/Digital-Forensics-Discord-Server/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts/blob/main/manuscript/authors.txt

[AndrewRathbun]

As we approach publishing v1 of this book, please review the most recent files uploaded to this folder and ensure your chapter looks the way you want it to. If not, please make appropriate adjustments and advise me to regenerate the preview book files.

Additionally, if you've not been invited to the book on Leanpub yet, please provide me with an email address so I can invite you on there.

Thank you for completing your chapter! I hope this has been a fulfilling experience for you!