Module Summary

Module Summary — The Forensic Artifact Landscape

This module established the foundation for every artifact analysis module that follows. The concepts introduced here — the raw-first principle, the reliability hierarchy, the corroboration standard, the five-step methodology — are not theoretical frameworks. They are operational practices that determine whether your findings survive scrutiny or collapse under challenge.

The raw-first principle

Tools parse artifacts. When the tool is correct, it saves hours. When the tool is wrong, only the examiner who understands the raw artifact can detect the error. Every artifact in this course is examined at the binary level before tool output is introduced. This is not academic depth — it is the minimum standard for defensible forensic analysis.

The six artifact categories

Windows forensic artifacts organize into six categories: filesystem (MFT, USN Journal, $LogFile, $I30), execution (Prefetch, Amcache, Shimcache, BAM/DAM, UserAssist), user activity (ShellBags, LNK files, Jump Lists, MRU lists), system (Event Logs, Registry), network (SRUM, browser, DNS, cloud sync), and volatile (processes, connections, memory). Each category has different persistence characteristics, different reliability ratings, and different anti-forensic vulnerabilities.

NTFS generates the evidence

The four NTFS timestamps ($SI and $FN, each with MACE) behave differently under different operations and have different reliability ratings. $FN Created is the most forensically reliable timestamp — set once at file creation, never updated by normal operations, not modifiable by user-mode applications. $SI timestamps are modifiable by any application via SetFileTime() and are the primary timestomping target. The comparison between $SI and $FN timestamps is the primary detection method for timestomping.

The Windows Registry stores the history

Five registry hive files contain the bulk of forensic evidence: SYSTEM (services, devices, Shimcache), SOFTWARE (installed programs, network history, persistence), SAM (accounts, logon times), NTUSER.DAT (user activity, UserAssist, MRU lists, persistence), and UsrClass.dat (ShellBags). Last write timestamps apply to keys, not values — a key's timestamp tells you when something under that key changed, not which value changed.

Evidence is not equal

The confidence hierarchy — high, moderate-high, moderate, low — rates each artifact's reliability based on how it is created, what it proves, and whether it can be manipulated. Prefetch provides high-confidence execution evidence. ShellBags provide moderate-high folder access evidence. Shimcache on pre-Windows 10 provides low-confidence execution evidence. Every finding in a forensic report should state its confidence level and the evidence sources that support it.

Collection preserves or destroys

The order of volatility — volatile → semi-volatile → non-volatile → external — determines what to collect first. Every decision point (power off, reboot, login, time passage) destroys or modifies specific evidence categories. The examiner's collection sequence should be chosen based on the investigation type and the evidence most at risk.

Anti-forensics is detectable

Attackers destroy, manipulate, conceal, or avoid creating artifacts. Destruction is the most common and the most detectable — every destruction action generates residual traces. The examiner who checks for anti-forensic indicators in every investigation catches the cleanup that tool-dependent analysis misses. Anti-forensic activity is itself evidence of consciousness of guilt.

The five-step methodology

Identify → Extract → Parse → Correlate → Conclude. Every analysis follows this sequence with quality gates between steps. Critical findings are raw-validated. Corroboration requires at least two independent sources. Conclusions include confidence levels, limitations, and alternative explanations. The methodology is systematic (nothing skipped), reproducible (another examiner reaches the same result), and defensible (explainable in testimony).

What comes next

WF1 — The Master File Table: Deep Analysis takes the NTFS architecture introduced in this module and goes to the binary level. You will examine MFT records byte by byte, understand every attribute field, build filesystem timelines from raw MFT data, detect timestomping through cross-attribute analysis, recover deleted file metadata from orphan MFT entries, and apply the analysis to the three NE investigation scenarios. The raw-first principle moves from concept to practice.