September 01, 2015

All of us use computers but few know the extent to which our actions leave behind a trail of activity. These clues, collectively referred to as artifacts, hold a wealth of information about a person’s computer usage. However, they tend to be confusing and incomplete. So while artifacts potentially provide insight, it takes the keen eye of an experienced investigator to determine what they mean.

In this article, we will review a few of the common artifacts and what they can tell us. Most computer forensic practitioners can extract this information, but only the best understand the nuances and have the knowledge to separate fact from fiction.

User-Created File Listings

Most investigations start with a review of the user-created files currently stored on the custodian’s computer. These are the files created by users, as opposed to automatically created system files. The user-created files can be both active (currently accessible on the drive) and deleted (removed from the user’s view but possibly recoverable).

Fiction: We can always tell if a file found on the hard drive has been copied to an external storage location.

In most cases, copying a file and pasting it somewhere off the computer does not change the original file. Because of this, investigators can’t tell if a copy of a file has been made just by observing it. However, we can use these files in conjunction with other artifacts to reconstruct events. This can reveal whether files have been moved to external locations, which is a possible sign of data theft.

Fact: Useful information can be learned from the files currently or formerly on the drive.

Forensic investigators review the various file names on a drive, looking for those of interest. Active files may reveal what files the user was accessing. Deleted files may tell us if a user deleted data. If a file is deleted, it is often possible to determine its date of deletion and possibly recover the file for review.

Attached Devices

Next, investigators typically create a list of devices (USB hard drives, mobile phones, etc.) that were connected to the computer at some point in time. For each device, it may be possible to determine the make, model, and serial number of the devices, as well as the dates and times they were first and last attached to the computer.

Fiction: The exact dates and times of connections, serial numbers, and other information can always be determined.

While investigators have many techniques to determine this information, often the computer simply does not record it.

Fact: We can get a good idea of what activity was surrounding the external storage devices that were connected to the computer.

Once we’ve established that a device was connected at a certain date and time, we can often determine what the user did with the device by cross-referencing these “timestamps” to information we find in the other artifacts.

Link (“LNK”) Files

These are shortcuts that point to another file referred to as the “target file.” LNK files are created to allow the user easy access to files and applications. They store quite a bit of information about the target file, including its location as well as its created, modified, and accessed dates.

Fiction: LNK files tell us everything about a target file.

While LNK files are a great resource, they only give metadata about the files, not their content. Metadata is information that can be obtained about a file. Examples include file creation time, last modification time, and last access time.

However, we can use them to determine if a file of the same name currently resides on the computer and potentially extract the file for review. Alternatively, if a file of the same name is no longer present, this can be helpful when trying to determine if a user intentionally attempted to delete data.

Fact: LNK files are created when a user opens a file.

This can show us the files that were accessed, including those residing on external storage devices such as USB or network drives.

Shellbags

This is a list of folders that were opened at least once by a user. Shellbag entries are created in order to track user preferences for how folders are displayed.

Fiction: Shellbags can always tell you when a person accessed a folder.

We can’t always identify the exact moment and time a user opened a folder. However, we can usually get a good indication of how often a person has accessed folders and their contents.

Fact: Shellbags can show when a user opened folders and files.

This artifact can hold a wealth of historical information since it tracks most of a user’s folder accesses. Using these, it is possible to extrapolate when folders were accessed. In addition, we can identify folders that once existed but do not currently exist on the computer. As with LNK files, this can be helpful when trying to determine if a user intentionally attempted to delete data.

Internet History

Internet browsers track the user’s activities by recording each website a user accesses.

Fiction: The amount of time a user accessed the Internet can be determined.

While we can extract a user’s website visits, the actions conducted while there and the length he or she was on them is very difficult to determine.

Fact: Internet History databases contain more than just Internet browsing.

A user’s file accesses, downloads, and internet searches can be recorded in Internet history.

Most Recently Used (“MRU”)

MRU is a generic term for a set of artifacts that list the files and folders recently opened by a user. These can offer clues about a user’s awareness of files, folders, and applications, even if they no longer exist.

Fiction: MRU allows us to know exactly when these files were accessed.

Dates found in MRU artifacts can be incomplete. However, we can cross-reference the file names to other artifacts, which can tell us accurate access dates.

Fact: MRU gives us a picture of what files (and typically in what order) the user recently accessed.

These artifacts track the files a user has recently opened, including Microsoft Office files, Adobe PDFs, and many others.

Conclusion

Digital forensic investigators have many artifacts at their disposal to help build the fact patterns for their investigations. However, due to the complexity of interpreting these artifacts, it is easy to misrepresent what they mean. While well intentioned, some practitioners incorrectly tie together the events, weaving them into a tale consisting of half-truths. Too much is at stake to afford mishaps of this kind, so take care when choosing your forensic expert. Anyone can create a story, but it takes a true expert to separate the arti”facts” from the arti”fictions”.