Sign In
In this module

Interactive Lab — Artifact Identification Exercise

Module 0 · Free
Interactive Lab
This lab applies the taxonomy, reliability assessment, and methodology concepts from this module to a practical artifact identification exercise. You will be presented with a KAPE collection inventory and an investigation scenario, and asked to prioritize artifacts, map them to investigation questions, assess their reliability, and build an analysis plan — before touching a single tool.
Deliverable: A completed artifact analysis plan for a forensic investigation, including artifact-to-question mapping, collection verification, analysis priority order, and expected confidence levels.
Estimated completion: 45 minutes

Scenario

You are the forensic examiner assigned to INC-NE-2026-0915 (insider data exfiltration). The KAPE standard collection from David Chen's workstation (DESKTOP-NGE-ENG14) has been delivered to your analysis VM. The collection directory contains:

DESKTOP-NGE-ENG14_20260915/
├── C/
│   ├── $MFT                              (387 MB)
│   ├── $UsnJrnl_$J                       (2.1 GB)
│   ├── $LogFile                          (64 MB)
│   ├── Windows/
│   │   ├── Prefetch/                     (847 .pf files)
│   │   ├── System32/
│   │   │   ├── config/
│   │   │   │   ├── SYSTEM                (18 MB)
│   │   │   │   ├── SYSTEM.LOG1           (1.2 MB)
│   │   │   │   ├── SYSTEM.LOG2           (256 KB)
│   │   │   │   ├── SOFTWARE              (94 MB)
│   │   │   │   ├── SOFTWARE.LOG1         (3.1 MB)
│   │   │   │   ├── SOFTWARE.LOG2         (512 KB)
│   │   │   │   ├── SAM                   (128 KB)
│   │   │   │   ├── SAM.LOG1              (32 KB)
│   │   │   │   └── SAM.LOG2              (32 KB)
│   │   │   └── sru/
│   │   │       └── SRUDB.dat             (42 MB)
│   │   ├── appcompat/
│   │   │   └── Programs/
│   │   │       └── Amcache.hve           (14 MB)
│   │   └── winevt/
│   │       └── Logs/
│   │           ├── Security.evtx         (128 MB)
│   │           ├── System.evtx           (24 MB)
│   │           ├── Application.evtx      (8 MB)
│   │           ├── Microsoft-Windows-Sysmon%4Operational.evtx (67 MB)
│   │           └── Microsoft-Windows-PowerShell%4Operational.evtx (12 MB)
│   └── Users/
│       └── d.chen/
│           ├── NTUSER.DAT                (48 MB)
│           ├── NTUSER.DAT.LOG1           (2.4 MB)
│           ├── NTUSER.DAT.LOG2           (512 KB)
│           ├── AppData/
│           │   ├── Local/
│           │   │   └── Microsoft/
│           │   │       └── Windows/
│           │   │           └── UsrClass.dat     (8 MB)
│           │   └── Roaming/
│           │       └── Microsoft/
│           │           └── Windows/
│           │               └── Recent/
│           │                   ├── AutomaticDestinations/  (342 files)
│           │                   ├── CustomDestinations/     (28 files)
│           │                   └── *.lnk                   (1,247 files)
│           └── Downloads/                (various files)
└── hash_log.txt                          (SHA256 per file)

The HR Director's investigation questions (from WF0.10):

  1. Which folders in the restricted Engineering share did Chen access?
  2. Which specific files did Chen open?
  3. Did Chen copy files to USB storage? If so, which files, when, and to which device?
  4. Did Chen copy files to cloud storage or personal email?
  5. What tools did Chen use to archive or compress files?
  6. What is the total volume of data potentially exfiltrated?
  7. Did Chen attempt to cover his tracks?

Exercise 1: Artifact-to-Question Mapping

For each investigation question, identify the primary artifact source and at least one corroborating source from the KAPE collection. Use this table format in your analysis notes:

QuestionPrimary ArtifactWhat It ProvesCorroborating ArtifactExpected Confidence
1. Folder access
2. File access
3. USB copy
4. Cloud/email exfil
5. Archive tools
6. Data volume
7. Anti-forensics

Work through each question using the artifact taxonomy from WF0.2 and the reliability hierarchy from WF0.6. Which artifacts from the KAPE collection answer each question? What confidence level does each artifact provide?

Exercise 2: Collection Verification

Before analysis begins, verify the collection integrity. Using the KAPE output directory listing above, answer:

  1. Are all five forensic registry hives present with their transaction logs?
  2. Are both user-profile hives (NTUSER.DAT and UsrClass.dat) present for the target user?
  3. Is the SRUM database present? (This is frequently missed in triage collections.)
  4. Are Sysmon logs present? (This depends on whether Sysmon was deployed — the NE environment has Sysmon.)
  5. What artifact would you check first to determine the system's OS version and timezone? (Needed before interpreting any timestamps.)
  6. The collection contains 847 Prefetch files. What does this number tell you about the system? (Hint: the maximum is 1024.)

Exercise 3: Analysis Priority Order

You have limited time — the HR proceeding is in 3 weeks and you have other cases. Define your analysis priority order: which artifacts do you analyze first, second, third?

Consider: which investigation questions are most critical to the HR proceeding? Which artifacts are at greatest risk of misinterpretation without careful analysis? Which artifacts provide the broadest coverage with the least analysis time?

Build a numbered priority list of analysis tasks, from first to last, with the rationale for each priority decision.

Exercise 4: Anti-Forensic Assessment Plan

Question 7 asks whether Chen attempted to cover his tracks. Before you analyze any artifacts, define what you will check:

  1. What Event Log indicators would show log clearing?
  2. What Prefetch indicators would show artifact deletion?
  3. What USN Journal indicators would show bulk file deletion?
  4. What timestamp indicators would show timestomping?
  5. What registry indicators would show cleanup tool usage?
  6. What browser indicators would show history clearing?

For each indicator, identify the specific artifact, the specific field or pattern, and what its presence or absence means.

Deliverable

Complete the four exercises and save your analysis plan as a document in your case notes directory (C:\Cases\INC-NE-2026-0915\notes\analysis-plan.md). This analysis plan is the Step 1 output of the five-step methodology — you will execute Steps 2-5 when we analyze each artifact category in modules WF1-WF10, and bring everything together in the complete INC-NE-2026-0915 investigation in WF13.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

  • WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
  • INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
  • INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
  • The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
  • Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →