I have been revisiting creating a forensic artifact database for some time now. I have started and re-started several times and finally realized why no-such-thing exists outside a PDF or spreadsheet: there is just so much information in forensic artifacts that can be cross-referenced across so many categories and some so specific to a sole operating system that makes it difficult to create. But I think I have finally figured out a way to make this usable.
Here’s where it stands right now.
I started (re-started…) the database and have a system where these are the things you will be able to do with it:
- Search by artifact name (easy enough)
- Search by category (such as “system artifacts”, “user artifacts”, “Windows artifacts”, etc…)
From there, you will have one artifact per page that gives you:
- Citable definitions (so you don’t have to make up your own definition)
- Summary of what the artifact is
- A detailed description of the artifact
- The file path of the artifact (if applicable)
- A link to direct downloads of white papers on that artifact
- A link to software tools specific to analysis of that artifact
- Videos on “how to do forensics” on that artifact
- Books (if books) about that artifact
- Training courses, if they exist, about that artifact
- References to blogs, presentations, and more research specific to that artifact
- You can download everything you need regarding that artifact
- You can give input on what is missing, what needs to be updated, or things to add
Here is one example:
The broad categories include a bunch of sub-categories: Applications (browsers, etc...), Downloads , Cloud / IoT , Files , Geolocation , Network , System (Logs, etc...), User (file copying, deletions, etc...), Devices (USBs, etc...), with cross-referencing between artifacts since one artifact can fit more than one category.
As this is a major effort of work, it will be some period of time to add enough artifacts before the database is useful every time you use it. I expect hundreds of artifacts to be listed, including the little things like individual registry keys. Until then, the database access will be restricted to Patreon subscribers at https://www.patreon.com/DFIRtraining , at every level of subscription as a bonus to the subscribers. If you’d like early access to the database and be able to mold its design, please subscribe ($3 for just the database, $30 to add access to several online courses).
I can’t wait to make the entire database public, but until then, it is a work in progress with early access for those who want it now.
Get early access at: