Artifact Analysis
What is Artifact Analysis?
Artifact AnalysisThe examination of digital traces left by operating systems and applications to reconstruct user actions, program execution, and attacker behavior.
Artifact analysis focuses on the persistent and volatile remnants that operating systems and applications generate during normal use: prefetch files, ShimCache, AmCache, jump lists, LNK files, browser history, recycle bin entries, Windows event logs, journald, and many others. Each artifact answers a specific evidentiary question, such as whether a binary was executed or which files a user opened. Analysts collect artifacts with KAPE, Velociraptor, or FTK Imager and parse them with EZ Tools, Plaso, or Autopsy. Findings are interpreted in the context of the operating system version, since artifact formats and retention differ across Windows, macOS, and Linux builds.
● Examples
- 01
Parsing Windows Prefetch to prove that a renamed malware sample was executed twice on a workstation.
- 02
Examining ShellBags to confirm that an attacker browsed a sensitive share.
● Frequently asked questions
What is Artifact Analysis?
The examination of digital traces left by operating systems and applications to reconstruct user actions, program execution, and attacker behavior. It belongs to the Forensics & IR category of cybersecurity.
What does Artifact Analysis mean?
The examination of digital traces left by operating systems and applications to reconstruct user actions, program execution, and attacker behavior.
How do you defend against Artifact Analysis?
Defences for Artifact Analysis typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Artifact Analysis?
Common alternative names include: Forensic artifact analysis, Host artifact analysis.