Abstract
The essence of any forensic examination is to look for data, artifacts. While it is impossible to describe all possible artifacts that may be of interest in any given investigation, this chapter aims to describe how to find some artifacts that are very common to look for. The chapter first describes how to find information such as install date and time zone settings from the Windows registry. Next, the chapter provides a rather detailed description of how to analyze a partition table in order to ensure that all drive space is allocated to a partition. An overview of how to search for deleted files is also included. A lot of good information can be found in file metadata, which includes information such as when a file was created and by whom. Analyzing different kinds of metadata is described before the chapter presents an approach on how to analyze log files. At the end of this chapter is a discussion on how to analyze unorganized data such as unpartitioned disk space or slack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
AccessData (2013) AccessData forensics. AccessData group
EaseUS (2017) EaseUs partition recovery wizard. Available online: https://www.easeus.com/partition-recovery/. Fetched: July 01, 2017
Guidance Software (2016) EnCase computer forensics II. Guidance Software
Knutson T, Carbone R (2016) Filesystem timestamps: what makes them tick? GIAC GCFA Gold Certification
Rusbarsky KL (2012) A forensic comparison of NTFS and FAT32 file systems. Available online: http://www.marshall.edu/forensics/files/RusbarskyKelsey_Research-Paper-Summer-2012.pdf. Fetched: July 06, 2017
Softxpantion (2009) Metadata in microsoft office and in PDF documents. Available online: https://www.soft-xpansion.eu/files/cc/Metadata.pdf. Fetched: July 06, 2017
Zacker (2014) Installing and configuring windows server 2012 R2. Wiley, Hoboken
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kävrestad, J. (2020). Finding Artifacts. In: Fundamentals of Digital Forensics. Springer, Cham. https://doi.org/10.1007/978-3-030-38954-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-38954-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38953-6
Online ISBN: 978-3-030-38954-3
eBook Packages: Computer ScienceComputer Science (R0)