Bruce Nikkel App_forensic_artifacts.pdf

• web browser
• email client
• office suite
• file managers
• media players
• photo / piv vieweres/managers
• social media apps, cloud sync/connect apps

• financial software
• company developted fat clients
• scientific, engineering apps
• industrial control apps

• bitcoin wallets and clients
• file-sharing apps
• TOR clients
• hack/crack/exploit tools
• malware binaries

Application forensic analysis involves examination of:

• installation date, last used
• configuration, plugins, user preferences
• log data, and audit trails
• persistent data (cookies, cache, objects, recents [eg. recent files in word])
• user activity over time
• application data/content
• additional application meta-data in data/content
• abuse or misuse of an application
• correlate timestamps with other times (logs,physical access logs, CCTV, etc)

• use open standards or proprietry formats
• magic string (#!/bin/bash)
• some files containers may be compressed or encrypted
• dome files may have many nested files (emails with attachments)

The linux file command is used to identify file formats

Always use a write-blocker or read only image to prevent data being writen do the image by viewers.

Proprietary formats:

• need reverse engineering to access the file
• pay for licenses to access the file 
• use existing proprietary tools to extract data
• commercial forensic tools are very good with proprietary data