“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”
~ Paul L. Kirk, forensic scientist
One of the foremost axioms of forensics, digital or otherwise, is Locard’s Exchange Principle. Simply put, this principle, formulated by Dr. Edmond Locard (known in his time as “the Sherlock Holmes of France”) states:
“Every contact leaves a trace.”
These traces are the tiny pieces left behind that we forensic investigators use to help determine in a given situation what happened, where it happened, who it happened to, when it happened, and how it happened, and who did it.
As Paul L. Kirk, one of the seminal minds in the field of forensic science, famously laid out in the quote above, these traces can’t lie. They can only be misunderstood or ignored*. You can think of traces as signposts leading to the truth. Follow them accurately and you’ll get there. Overlook them, take the wrong turn somewhere, make the wrong conclusion at some point in your investigation… and wherever you end up, it probably won’t be with the correct answer to the questions you need to have answered.
*Well, many of the traces that were considered ironclad in his day, like hair fibers, aren’t quite as authoritative in the modern forensic science scene as they were decades ago. The traces don’t lie, but their significance and the conclusions they lead to can be over- and understated to an investigator’s detriment. This is an idea we should keep in mind with digital evidence artifacts as well. In the ever-changing world of technology, what is true today may not be tomorrow, and the weight or importance of various artifacts can change over time.
In digital forensics, we aren’t dealing with footprints and hair fibers. Modern physical forensics doesn’t even deal with hair fibers anymore, now that we know how much more reliable DNA is as evidence. At least, we don’t deal with footprints in a literal sense. We have a different set of traces to track on our way to the truth, and we call these traces artifacts.
What Are My Favorite Artifacts?
Like the footprints, DNA, fingerprints, or the blood Kirk’s example criminal left behind in the quote of his I put at the beginning here, forensic artifacts are the digital equivalent–the things left behind unintentionally, unconsciously, often invisibly, that help us get to the bottom of an incident. An artifact in a digital forensics investigation includes things like registry keys, files, timestamps, and event logs – all of these are the traces we follow in digital forensic work.
Every form of storage, every different file system, and every different operating system works differently and creates different artifacts as a response to what you do while using it. These artifacts are tiny and invisible, although you see their effects every time you access a computer system, a network, a phone, or a tablet. You’d be surprised at what we can learn about the behavior of somebody accessing your device just by looking at the artifacts they leave behind!
In the coming months, I’ll be taking a deep dive into some of the forensic artifacts I see in my information security investigations that I find the most useful, the most interesting, or both. Here are just a few of the artifacts I’ll be covering in this blog series:
- Smartphone User Dictionaries
- Smartphone Context Log-0 (Samsung)
- SQLite database files (look for my first book review here!)
- $Logfile Artifacts
- Link Files
- Shell Bags
- Prefetch Files
- Amcache Artifacts
- Other totally cool stuff
I’ll also delve into some of the unique properties of flash memory and what sets it apart from the traditional spinning disk hard drive we’ve all come to know and love over the past sixty years in terms of the artifacts it creates and the unique challenges and opportunities it creates for us.
I can’t wait to get to the next installment, and I hope you can’t, either!