Skip to content

41 - Digital artifacts

Digital artifacts used in the background of an IT investigation refer to any electronic evidence that cybercriminals leave behind in information systems. Electronic evidence can be either intentionally or unintentionally created, or consciously or unconsciously crafted. Digital artifacts are like clues that can help you find the truth about the event and hold cybercriminals accountable for their actions.

Digital artifacts are stored in the memory of compromised information systems. The storage of electronic evidence is affected by a variety of factors, from the operating systems used on the devices to the current log policies and device settings. Evidence stored in information systems can only survive for a moment and will be automatically lost after a certain period of time. In dealing with evidence, it would therefore be essential to be able to act with sufficient speed to ensure the availability and integrity of traces.

Existing knowledge of indicators of compromise and indicators of attack can help in the search for digital artifacts. An indicator of compromise is often described in the forensics world as evidence on a computer indicating that the security of the network has been breached. Unlike indicators of compromise, indicators of attack focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.

In addition to indicators of compromise and indicators of attack, the search for digital artifacts involves categorizations of artifacts. The categorizations of artifacts illustrate the normal operation of information systems and the resulting traces. Categories help to look for evidence where it can be expected to be normally found for a particular activity. Finding artifacts by category can either reinforce doubts about the course of events or change current thought patterns.

Digital artifacts can be linked together using attributes that characterize evidence, such as timestamps and names. In addition, artifacts can be linked to each other based on the content of the evidence, such as the programming language used. By forming chains of correlated artifacts, the course of events can be elucidated without the use of any known attack vectors in the hypothetical cyber attack.