Bruce Nikkel OS_forensic_artifacts.pdf

• boot and shutdown
• scheduled tasks
• installed software
• user activity
• system logs
• system configuration
• other OS related files

• OS version, kernel version
• kernel config / parameters
• boot sequence
• startup services / daemons (systemd, launchctl)
• old: init.d and rc.d scripts
• boot up and shutdown times

Fo most of these, no special forensic tools are needed, just knowledge of the OS and files

Scheduled jobs / tasks:

• cron / at
• systemd timers
• Windows schtasks
• user and system jobs are separat

Human user activity:

• users and groups 
• logins, logouts
• home directories, user files
• user permissions and security

It is always a challenge to separate human activity from system activity.

Logs tell you a lot (but can be tampered!)

Locations where logs can be found:

• system logs (dmesg, syslog, journalctl)
• MS Windows event logs (Linux tool: grokevt, libevtx)
• log files (/var/log/*)

OS configuration:

• Traditional Unix/Linux: files in  /etc
• MS Windows registry (Linux tools: registry-tools, reglookup)
• gconf/dconf, plist files, systemd units
• dot files ~/.config
• network configuration (DNS, proxy)
• disk configuration (raid? encryption?)
• automounted local and remote drives

OS files that are interesting for forensics:

• temporary files and directories (/tmp, /var/tmp)
• cache fiesl, prefetch files
• crash dumps, error report files
• hibernation files

Application layer OS data:

• clipboard data/history
• last used documents
• recycle bin, trash cans (these are not filesystem artifacts)
• OS search queries, index, thumbnails

The difference between OS and applications is sometimes unclear.