Artifacts

18 results - showing 1 - 18
Device and account holder information 

MacOS Bluetooth plist

Path for attachments and emails for the Windows default email application.

Based on Kroll’s ongoing examination, EventTranscript.db appears to serve as the local storage for the Windows Diagnostics and Telemetry subsystem whose contents can be displayed with the Diagnostic Data Viewer application within Windows 10. - Kroll https://web.archive.org/web/20211227201637/https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript/diving-deeper-into-eventtranscript

"The good news is that there are artifacts examiners can use to determine the approximate time an Android phone was wiped." - Josh Hickman 

"Per StatCounter, Mozilla Firefox has only a .5% stake in mobile browser usage globally. I can only image that number is even further diminished on Android with Chrome's stranglehold. Regardless Josh Hickman gave us some test data to play with in his recent Android 12 image. I also generated some test data further on my Android 11 Pixel 4A for fun. Here's a breakdown of some data that we can pull out." https://www.stark4n6.com/2022/01/firefox-on-android-web-history-visits.html

"Google Maps generates directions in audio form during a navigated journey. What’s more, the files are saved with an epoch time stamp within their file name. These files are saved in the below directory on Android." - @kibaffo33

Featured

LNK

"LNK files (labels or Windows shortcut files) are typically files which are created by the Windows OS automatically, whenever a user opens their files. These files are used by the operating system to secure quick access to a certain file. In addition, some of these files can be created by users themselves to make their activities easier."

Forensic Analysis of LNK Files (belkasoft.com)   

MacOS has a retention period for some log files, so the longer you keep the machine running, the higher are the chances that valuable logs will be overwritten. - https://medium.com/about-developer-blog/macos-forensics-diy-style-3369868505dd

"This folder contains items that run automatically when you log in to any user account on your Mac, and it’s a typical place for nefarious apps to stick files, as doing so could mean that their software will launch whenever you log in." https://www.macobserver.com/tips/quick-tip/macos-check-launchagents-malicious-software/

A startup item is a specialized bundle whose code is executed during the final phase of the boot process, and at other predetermined times (see Managing Startup Items). The startup item typically contains a shell script or other executable file along with configuration information used by the system to determine the execution order for all startup items. - https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html

"This file is a SQLite database with multiple tables that look to be for tracking media played in Chrome (unsurprising, given the file's name)." - Ryan Benson https://web.archive.org/web/20211227182648/https://dfir.blog/media-history-database-added-to-chrome/

This plist file contains most recently used (MRU) Illustrator and Photoshop files. - https://cyberforensicator.com/2017/11/06/the-hitchhikers-guide-to-macos-usb-forensics/

USB Device Tracking on Mac OS X

18 results - showing 1 - 18