When a user accesses a file or folder, the operating system records information in a range of different locations. Each of these unique artifacts provideinformation that can be used as evidence in both forensic investigations and incident response matters.
Some examples of the evidence that can be found when analysing artifacts are:
- Determining if and when a file or folder has been opened or modified
- What files or folders a user was accessing at a given point in time
- External devices that were connected to a computer and whether any files on the external device were accessed from the computer
- Evidence of previously existing folders that have since been deleted
In a forensic investigation, knowing when and if a file or folder was opened helps us to determin what a user was accessing or creating at a particular time of interest. For example, when an employee has been accused of stealing intellectual property, knowing if and when a user may have accessed this potentially proves whether theft did or did not occur.
Some of the key artifacts we search for include recent files, shortcut files (LNK files), MRU (Most Recently Used) files, Shellbags, and certain file access data captured by Microsoft Edge.
When conducting an incident response investigation, file/folder access artifacts are particularly helpful, particularly for ransomware attacks. When responding to a ransomware attack it is important to understand whether the attackers have accessed any intellectual property (IP) and also if any of this data has been exported. There has been a significant rise in ransomware groups using double extortion tactics to compel victims to pay a ransom. Double extortion is when the attackers demand a ransom for encrypted files and also in exchange for not publishing stolen organisational data on the internet.