Archive for the ‘Uncategorized’ Category

IOCs and RMOs

Posted by:  /  Tags: , , ,

Happy New Year to the digital forensics community from everyone here at Forensic Artifacts! We have been busy with some site changes and additions that will hopefully benefit everyone in the upcoming year.

First, we added a new subdomain,, to assist in sharing information based on Mandiant‘s OpenIOC initiative. The framework and tools released at for standardizing and sharing Indicators of Compromise (IOC) allow analysts to quickly identify artifacts of network intrusions. The XML .ioc file produced can easily be shared allowing other analysts to look for the same artifact on different networks.

We created as a place to categorize and share .ioc files. All that is needed is for an examiner to submit the .ioc file allowing us to populate the post and offer the .ioc for download, while other users can comment on the post to help make the .ioc stronger. Other than the Mandiant Forum, this is the only other repository we know of where users can share the IOCs they have created. By adding IOCs to the Forensic Artifacts website, our goal is to aid forensic examiners by having different types of information all under one roof. This should enhance the usefulness of the site and allow examiners to find the information they need much more efficiently.

Second, Rob Lee and SANS have graciously offered up a SANS Lethal Forensicator Coin for anyone submitting six or more artifacts or IOCs in any given year. There is a proud group of forensic analysts who currently possess one of these Round Metal Objects (RMO) and we are lucky enough to provide another avenue of earning the coin. The history of the coin and the term forensicator can be found on the link above. The rules for earning a coin through Forensic Artifacts are the same as the SANS Forensic Blog, simply submit six artifacts or IOCs in the span of a year and you’ll be eligible to earn the coin.

We’re looking forward to serving the community and watching the site grow. Please let us know if you have any suggestions or changes that will strengthen the site and enhance our ability to serve the digital forensics community.

Take Artifacts with you using Evernote

Posted by:

Everyone’s favorite forensic tool, Mark McKinnon, contacted us recently to let us know he has imported all of the Forensic Artifact posts into Evernote. The Evernote page can be accessed and linked to your Evernote account here:

If you have an Evernote account, you can now sync all the Forensic Artifacts posts across your computer as well your mobile devices. Offline access is also a major benefit. Hopefully all future posts (and other community generated offerings) will be synced with the notebook to keep things current.

Thanks, Mark!



We’re back!

Posted by:  /  Comments: 1

Hey Everyone,

I’d like to apologize for the lengthy layoff that the site has had (3 months). Things had gotten a bit hectic over that time. Matt has found new employment and has less time to contribute as of late. I was on vacation, then out sick in December. Oh and I am still putting out my podcast, Cyber Crime 101 (shameless plug), on a regular basis. My case load at work increased a bit and I had been playing catch up ever since.

Well, things have evened out (at least for me) at work and I realized the lack of attention being paid to this site. With that said, I hope to post here on a regular basis. I am looking to do a post every 2 weeks. I figure this should be a good way to populate the site without stress. Also, I ask that if you have an Artifact that you have good knowledge of that hasn’t been covered here yet, please use the “Submit” page to help contribute back to the Digital Forensics Community. Furthermore, if you see a previous post that you believe might be missing or might have updated information, please contact us and let us know. That way we can get the latest information out to our fellow examiners/analysts/forensicators (whatever title you want to go by).

Joe G.

State of the Artifacts: August

Posted by:  /  Comments: 1

First of all, thank you very much to all those that supported us through our launch this month. We greatly appreciate all the feedback and suggestions we have received.

While we are just starting out and have only posted twelve artifacts to date, we have received a great following and are looking forward to consistently adding content. Please consider sharing your expertise and submitting an artifact or two.

In the just under three weeks that the site has been active, we have received 5000 pageviews, have 82 RSS subscribers (according to Google Webmaster Tools), and have 79 followers on our Twitter feed.

The top five viewed artifacts this month were:

— Computer Name
— Skype
— App_Paths
— CurrentControlSet
— ShowHiddenFolders

The top five searches for artifacts (from both entry keyword and on-site searches) were:

— Google Desktop Search
— acmru
— plist
— prefetch

As the site is populated with more content these statistics will be much more interesting. For instance, there was some search activity for DLLs around the time the DLL exploit went wild. With additional content, we may be able to see search trends based on what malware is popular at the moment and what artifacts it might affect.

Hit submit and help the mission!

Thanks again to everyone who has helped with site and offered words of encouragement.

Registry: App Paths

Posted by:

Author Name

Artifact Name
App Paths

Artifact/Program Version
Windows Specific

An application that is installed for all users of the computer can be registered under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths registry key. In Windows 7 and later, an application that is installed for only one user can be registered under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths registry key.

The entries found under App Paths are used primarily for the following purposes:

  • To map an application’s executable file name to that file’s fully qualified path.
  • To append information to the PATH environment variable on a per-application, per-process basis.

If the name of a subkey of App Paths matches the file name, the Shell performs two actions:

  • The (Default) entry is used as the file’s fully-qualified path.
  • The Path entry for that subkey is appended to the PATH environment variable of that process. If this is not required, the Path value can be omitted.

Registry Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths

Research Links

Forensic Programs of Use

Registry: Common MRUs

Posted by:  /  Tags: , ,  /  Comments: 1

Author Name

Artifact Name
Common Windows Most Recently Used Locations

Artifact/Program Version

Windows (various versions)




Registry Keys


The author sent in a submission which included numerous Registry Keys for examiners to look for regarding Windows MRU Locations.  It was essentially a copy & paste from the ForensicsWiki page.  I have left the link to that page below so that if you would like to check out that list you can for further educational purposes.  I felt that it did not fit the format that we are going for here on this site.  Thank you to the author for their submission!

Research Links

Forensic Programs of Use