Cyber Security

When conducting a cybersecurity investigation on a Windows operating system VFC can prove invaluable. There are various artifacts you can look for to identify potential security incidents or breaches. These artifacts can provide valuable insights into the activities and events that have occurred on the system. Here are some key artifacts to consider while using VFC version 7 and particularly utilising the features Standalone & Inject Files features:

• Event Logs:
  • Security Event Log
  • Application Event Log
  • System Event Log
• File System:
  • File Creation, Modification, and Deletion Times.
  • File Access Times
• Registry:
  • Recent Registry Modifications
• Network Artifacts:
  • Network Connections
  • Firewall Logs
• Memory Artifacts:
  • Running Processes
  • Loaded Modules
  • RAM analysis (VFC can be used in Memory capture analysis in both live and deadbox enquiries by creating a .vmem file when generating a VM)
• User Activity:
  • User Account Information
  • User Login History
• Authentication and Logon Data:
  • Logon Session Information
  • Credential Cache
• Browser Artifacts:
  • Browser History and Cache.
• Scheduled Tasks:
  • Scheduled Task Logs
• Malware Artifacts:
  • Malware Signatures
  • Persistence Mechanisms
• System Configuration:
  • System Configuration Changes

Remember that these artifacts should be analysed in the context of your investigation and the specific incident you are addressing. A comprehensive investigation often involves cross-referencing information from multiple sources to piece together the full picture of what transpired on the original device. 

Both VFC Lab and Portable using specialised tools for digital forensics, Cyber Forensicsand incident response investigationscan greatly aid in artifact collection and analysis.