Thursday, February 19, 2009

Application Forensic Artifacts

Forensic artifacts left by installed applications can be an excellent source of data when performing analysis. For example, MRU lists used by applications (and maintained in the Registry) can lead to demonstrating that not only did the suspect know that the files were on the system, but that they viewed them. I've spoken with LEOs who've used this technique successfully.

Here's an excellent post regarding what has been found with respect to Corel Photoshop.

AV application log files can provide a great deal of insight into activity that occurred on the system, such as updates, when scans were run and the results, etc.


Andi Baritchi said...

This still only gives us proof that a file was opened by an app on their computer.. the trail of evidence stops at the computer, not the person.

Maybe the cat did it.


H. Carvey said...


True, but as an analyst, I can only give the facts of what I know and have observed based on my analysis; someone else will have to determine who was sitting at the keyboard, logged in via the user account in question.