Digital Forensic News & Events

Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics

Back to News

Investigate: Files Referenced by Artifact Records

Posted by Richard T. Frawley on September 4, 2019
Richard T. Frawley

Fast investigations require rapid access to evidence. ADF software enables investigators to quickly view the links of artifacts captured from a target device so you can easily understand a user's activities. 

In this short 2-minute video, Digital Forensic Specialist, Rich Frawley explains Referenced File Capture and Linked Artifacts with Digital Evidence Investigator which gives you the ability to view links between files of interest and user’s activities. 

 

The Artifact Capture

Referenced Files

These files contain records that may reference files on the target device(s) or embedded files on the target device(s). We refer to these files as Referenced Files. In this example, the  capture targets files that are referenced by the Artifact Captures, Peer to Peer (P2P) Files Shared or Downloaded, Email, Messages, Recent files, Browser Cache, and Download History. If the file has a reference to any of these artifacts it will be listed under Linked Artifacts and Hyperlinked to the actual record.

Files View

The Files View records, list within the Linked Artifacts column, hyperlinks to any Artifact  Captures that references the file shown. When customizing your Search Profiles with keywords and Hash sets, you can specify that any file collected also list the artifact records that reference the file. When viewing your files in picture view, for example, the Linked artifacts can be filtered to specific items with user activity.

Referenced File Functionality

Recent Files

This Artifact Capture identifies recently accessed files. Recently accessed files that can be located upon the target device(s) are treated as Referenced Files and are accessible by a hyperlink in the Candidate column to the relevant file record in the Files View. Candidate files are identified by matching their File Name and File Path with the information within the Artifact Capture record.

Download History

This Artifact Capture recovers information relating to downloaded files. Downloaded files that can be located upon the target device(s) are treated as Referenced Files and are accessible by a hyperlink in the File Name column. Hyperlinks will exist to the Files View record for the downloaded file and to any File Collections Captures that have collected the file concerned.

P2P Files Shared or Downloaded

This Artifact Capture recovers information relating to files downloaded or shared by P2P applications. If these files can be located upon the target device(s) they are treated as Referenced Files and are accessible by a hyperlink in the Candidate column to the relevant file record in the Files View. The Candidate column can also contain details of other Captures that reference the file.

Browser Cache

This Artifact Capture extracts cached files from containers used by the Google Chrome, Safari, Edge, Opera and Firefox browsers. The extracted cached files are listed within the Files View and shown as embedded files. We also treat these files as referenced files.  These referenced files are accessible by a hyperlink in the Referenced File column. Hyperlinks will exist to the Files View record for the cached file and to any File Collection Captures that have collected the file concerned.

Messages

This Artifact Capture recovers messaging client messages. These messages may have associated attachments. These attachments are treated as referenced files. These referenced files are accessible by a hyperlink in the Attachment Name column. Hyperlinks will exist to the Files View record for the attached file and to any File Collection Captures that have collected the file concerned. The Attachment Name column can also contain details of other Captures that reference the file.

Emails

This Artifact Capture recovers email client messages. These messages may have associated attachments. These attachments are treated as referenced files. These referenced files are accessible by a hyperlink in the Attachment Names column. Hyperlinks will exist to the Files View record for the attached file and to any File Collection Captures that have collected the file concerned. The Attachment Names column can also contain details of other Captures that reference the file. File Collection capture records list, within the Linked Artifacts column, hyperlinks to any Artifact Captures that references the file shown.

TIE THE SUSPECT TO THE CRIME

If you're looking for the best digital forensic tools to quickly find digital evidence and tie a suspect to evidence quickly on-scene in the field or back in the lab, you should try ADF software. ADF tools are built for speed and designed for investigators. Qualified professionals can receive a free digital forensic software trial of our most popular tools. Start solving today.  

Talk to an ADF Expert

 

Topics: Digital Evidence Investigator, Triage-G2, Triage-Investigator, Triage, Mobile Forensics, How To Video, Mobile Device Investigator, DEI PRO, Triage-G2 PRO, Triage-Investigator PRO, Digital Evidence, Forensic Artifacts, Knowledge Base Video

Posts by Tag

See all

Recent Posts

New ADF Free Trial Website Ad
  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?