Bruce Nikkel OS_forensic_artifacts.pdf

• OS version, kernel version
• kernel config / parameters
• boot sequence
• startup services / daemons (systemd, launchctl)
• old: init.d and rc.d scripts
• boot up and shutdown times

Fo most of these, no special forensic tools are needed, just knowledge of the OS and files

Scheduled jobs / tasks:

• cron / at
• systemd timers
• Windows schtasks
• user and system jobs are separat

Human user activity:

• users and groups 
• logins, logouts
• home directories, user files
• user permissions and security

It is always a challenge to separate human activity from system activity.

Logs tell you a lot (but can be tampered!)

Locations where logs can be found:

• system logs (dmesg, syslog, journalctl)
• MS Windows event logs (Linux tool: grokevt, libevtx)
• log files (/var/log/*)

OS configuration:

• Traditional Unix/Linux: files in  /etc
• MS Windows registry (Linux tools: registry-tools, reglookup)
• gconf/dconf, plist files, systemd units
• dot files ~/.config
• network configuration (DNS, proxy)
• disk configuration (raid? encryption?)
• automounted local and remote drives

OS files that are interesting for forensics:

• temporary files and directories (/tmp, /var/tmp)
• cache fiesl, prefetch files
• crash dumps, error report files
• hibernation files

Application layer OS data:

• clipboard data/history
• last used documents
• recycle bin, trash cans (these are not filesystem artifacts)
• OS search queries, index, thumbnails

The difference between OS and applications is sometimes unclear.

OS specialty items:

• Personal assistants (Cortana, Siri)
• proprietary file transfer (Apple Airdrop)
• Attached synced devices, backup (timemachine)
• othe closely integrated OS applications

Cloud activity:

• cloud sync, backup
• Cached OS cloud artifacts
• VM instances, distributed/cloud nodes
• VDI instances
• thin clients