Recommended Methodology for Identifying Artifacts

[OmenScan]

This post documents the method I am using to determine what Artifacts each Forensic Utility Creates.

Before outlining the the methodology I am using, there are a few things to understand:

1. The process of keeping any system running will create artifacts.  Although these artifacts are not specifically created by Utility itself, they may be created by the Operating System when the Utility runs.
2. The process of running a program to snapshot the system before the Utility is run, and then after it it run (to see what artifacts were created by the Utility, in itself creates artifacts!  To filter out these artifacts I have run the process of simply creating a before and after system snapshot, and noted the artifacts that this process creates.  I will identify the artifacts created by each utility during the process, and will specifically identify the artifacts that match (or likely match) the original snapshot process.  This will identify those artifacts that are likely to be associated with the snapshot process itself and not the forensic Utility.  However - further testing should be done to be sure there isn't overlap (i.e. the artifact was created or modified by BOTH the Utility and the snapshot process itself).

Creating the Basic System

In order to make the process completely repeatable and controlled I have created a Virtual Environment that can be tested, and then reverted back to it's original state.  To do this I did the following:

• Created a VirtualBox VM
  
• OS Disk is 40Gb 
• Basic Windows 7 Install
• Apply All Security Patches

• Created an additional Drive to hold the Utilities AND the snapshot program.
  
• Data Drive is 40 Gb 
• Use PRIMO (Regshot X-64)
• http://members.tripod.com/~randy_hall/download.htm

• Configured Virtual Box with a shared Drive to store the artifacts (output comparisons)
  
• When Telemetry files are created , copy them here for permanent storage
  
• Then Revert everything on the VM Back to original state 

• Configured Windows in the VM to NEVER Check for Updates
• This will prevent Windows Update from accidentally creating artifacts that would be mistakenly applied to the forensic artifact analysis.
• NOTE: Even with Updates Turned Off, Windows may STILL Download updates - For example for MS Malware Protection.

Baselining the snapshot process to create/identify Artifacts that the process ITSELF creates

•  Baselining RegShot
  
• Login To VM 
• Start Windows Explorer
• Start Elevated Command Prompt
• Choose the D: Drive by typing in D:
• Start Regshot-x64-ANSI
• Set Max Data to Show 0 
• Set Output Directory
• Do first Shot and Save (BaseLine1)
• Run Second Shot And Save (BaseLine2)
• Compare And Output

Below is the process used to determine the Artifacts created by each Forensic Utility

• Login To VM
  
• Start Windows Explorer
• Copy the Forensic Utility program to the Root of D:
• Start Elevated Command Prompt
• Choose the D: Drive by typing in D:
• Start Regshot-x64-ANSI
  
• Set Max Data to Show 0
• Set Output Directory
• Do first Shot and Save
• Run the Forensic Utility program from Command Prompt
• Run Second Shot And Save
• Compare And Output

Once this process is complete, the files are copied from the D: drive back to the shared drive located on the host system.  Using the original snapshot baseline, I then compare the output files to see which files match the baselined snapshot and those that do not.  The ones that match the baseline are attributed to the process itself.  The one that do not match are attributed to the Forensic Utility.  Some of these files are possibly created by the Operating system and are not directly attributable to the Forensic Utility.  

For completeness I am also including these files as attributed to the Forensic Utility.  Further work can be done in the future to identify those files.