Finding Artifacts

Kävrestad, Joakim

doi:10.1007/978-3-030-38954-3_14

Joakim Kävrestad²

2462 Accesses

Abstract

The essence of any forensic examination is to look for data, artifacts. While it is impossible to describe all possible artifacts that may be of interest in any given investigation, this chapter aims to describe how to find some artifacts that are very common to look for. The chapter first describes how to find information such as install date and time zone settings from the Windows registry. Next, the chapter provides a rather detailed description of how to analyze a partition table in order to ensure that all drive space is allocated to a partition. An overview of how to search for deleted files is also included. A lot of good information can be found in file metadata, which includes information such as when a file was created and by whom. Analyzing different kinds of metadata is described before the chapter presents an approach on how to analyze log files. At the end of this chapter is a discussion on how to analyze unorganized data such as unpartitioned disk space or slack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 44.99; Price excludes VAT (USA)

Softcover Book: USD 59.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
https://sqlitebrowser.org/dl/

References

AccessData (2013) AccessData forensics. AccessData group
Google Scholar
EaseUS (2017) EaseUs partition recovery wizard. Available online: https://www.easeus.com/partition-recovery/. Fetched: July 01, 2017
Guidance Software (2016) EnCase computer forensics II. Guidance Software
Google Scholar
Knutson T, Carbone R (2016) Filesystem timestamps: what makes them tick? GIAC GCFA Gold Certification
Google Scholar
Rusbarsky KL (2012) A forensic comparison of NTFS and FAT32 file systems. Available online: http://www.marshall.edu/forensics/files/RusbarskyKelsey_Research-Paper-Summer-2012.pdf. Fetched: July 06, 2017
Softxpantion (2009) Metadata in microsoft office and in PDF documents. Available online: https://www.soft-xpansion.eu/files/cc/Metadata.pdf. Fetched: July 06, 2017
Zacker (2014) Installing and configuring windows server 2012 R2. Wiley, Hoboken
Google Scholar

Download references

Author information

Authors and Affiliations

School of Informatics, University of Skövde, Skövde, Sweden
Joakim Kävrestad

Authors

Joakim Kävrestad
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Kävrestad, J. (2020). Finding Artifacts. In: Fundamentals of Digital Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-38954-3_14

Download citation

DOI: https://doi.org/10.1007/978-3-030-38954-3_14
Published: 20 May 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38953-6
Online ISBN: 978-3-030-38954-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics