In this section
Interactive Lab — Artifact Identification Exercise
This lab applies the taxonomy, reliability assessment, and methodology concepts from this module to a practical artifact identification exercise. You will map artifacts to investigation questions, assess reliability, and build an analysis plan before touching a single tool. Estimated time: 45 minutes.
Scenario
You are the forensic examiner assigned to INC-NE-2026-0915 (insider data exfiltration). The KAPE standard collection from David Chen's workstation (DESKTOP-NGE-ENG14) has been delivered to your analysis VM. The collection directory contains:
DESKTOP-NGE-ENG14_20260915/
├── C/
│ ├── $MFT (387 MB)
│ ├── $UsnJrnl_$J (2.1 GB)
│ ├── $LogFile (64 MB)
│ ├── Windows/
│ │ ├── Prefetch/ (847 .pf files)
│ │ ├── System32/
│ │ │ ├── config/
│ │ │ │ ├── SYSTEM (18 MB)
│ │ │ │ ├── SYSTEM.LOG1 (1.2 MB)
│ │ │ │ ├── SYSTEM.LOG2 (256 KB)
│ │ │ │ ├── SOFTWARE (94 MB)
│ │ │ │ ├── SOFTWARE.LOG1 (3.1 MB)
│ │ │ │ ├── SOFTWARE.LOG2 (512 KB)
│ │ │ │ ├── SAM (128 KB)
│ │ │ │ ├── SAM.LOG1 (32 KB)
│ │ │ │ └── SAM.LOG2 (32 KB)
│ │ │ └── sru/
│ │ │ └── SRUDB.dat (42 MB)
│ │ ├── appcompat/
│ │ │ └── Programs/
│ │ │ └── Amcache.hve (14 MB)
│ │ └── winevt/
│ │ └── Logs/
│ │ ├── Security.evtx (128 MB)
│ │ ├── System.evtx (24 MB)
│ │ ├── Application.evtx (8 MB)
│ │ ├── Microsoft-Windows-Sysmon%4Operational.evtx (67 MB)
│ │ └── Microsoft-Windows-PowerShell%4Operational.evtx (12 MB)
│ └── Users/
│ └── d.chen/
│ ├── NTUSER.DAT (48 MB)
│ ├── NTUSER.DAT.LOG1 (2.4 MB)
│ ├── NTUSER.DAT.LOG2 (512 KB)
│ ├── AppData/
│ │ ├── Local/
│ │ │ └── Microsoft/
│ │ │ └── Windows/
│ │ │ └── UsrClass.dat (8 MB)
│ │ └── Roaming/
│ │ └── Microsoft/
│ │ └── Windows/
│ │ └── Recent/
│ │ ├── AutomaticDestinations/ (342 files)
│ │ ├── CustomDestinations/ (28 files)
│ │ └── *.lnk (1,247 files)
│ └── Downloads/ (various files)
└── hash_log.txt (SHA256 per file)The HR Director's investigation questions (from WF0.10):
- Which folders in the restricted Engineering share did Chen access?
- Which specific files did Chen open?
- Did Chen copy files to USB storage? If so, which files, when, and to which device?
- Did Chen copy files to cloud storage or personal email?
- What tools did Chen use to archive or compress files?
- What is the total volume of data potentially exfiltrated?
- Did Chen attempt to cover his tracks?
Exercise 1: Artifact-to-Question Mapping
For each investigation question, identify the primary artifact source and at least one corroborating source from the KAPE collection. Use this table format in your analysis notes:
| Question | Primary Artifact | What It Proves | Corroborating Artifact | Expected Confidence |
|---|---|---|---|---|
| 1. Folder access | ||||
| 2. File access | ||||
| 3. USB copy | ||||
| 4. Cloud/email exfil | ||||
| 5. Archive tools | ||||
| 6. Data volume | ||||
| 7. Anti-forensics |
Work through each question using the artifact taxonomy from WF0.2 and the reliability hierarchy from WF0.6. Which artifacts from the KAPE collection answer each question? What confidence level does each artifact provide?
Exercise 2: Collection Verification
Before analysis begins, verify the collection integrity. Using the KAPE output directory listing above, answer:
- Are all five forensic registry hives present with their transaction logs?
- Are both user-profile hives (NTUSER.DAT and UsrClass.dat) present for the target user?
- Is the SRUM database present? (This is frequently missed in triage collections.)
- Are Sysmon logs present? (This depends on whether Sysmon was deployed — the NE environment has Sysmon.)
- What artifact would you check first to determine the system's OS version and timezone? (Needed before interpreting any timestamps.)
- The collection contains 847 Prefetch files. What does this number tell you about the system? (Hint: the maximum is 1024.)
Exercise 3: Analysis Priority Order
You have limited time — the HR proceeding is in 3 weeks and you have other cases. Define your analysis priority order: which artifacts do you analyze first, second, third?
Consider: which investigation questions are most critical to the HR proceeding? Which artifacts are at greatest risk of misinterpretation without careful analysis? Which artifacts provide the broadest coverage with the least analysis time?
Build a numbered priority list of analysis tasks, from first to last, with the rationale for each priority decision.
Exercise 4: Anti-Forensic Assessment Plan
Question 7 asks whether Chen attempted to cover his tracks. Before you analyze any artifacts, define what you will check:
- What Event Log indicators would show log clearing?
- What Prefetch indicators would show artifact deletion?
- What USN Journal indicators would show bulk file deletion?
- What timestamp indicators would show timestomping?
- What registry indicators would show cleanup tool usage?
- What browser indicators would show history clearing?
For each indicator, identify the specific artifact, the specific field or pattern, and what its presence or absence means.
Deliverable
Complete the four exercises and save your analysis plan as a document in your case notes directory (C:\Cases\INC-NE-2026-0915\notes\analysis-plan.md). This analysis plan is the Step 1 output of the five-step methodology — you will execute Steps 2-5 when we analyze each artifact category in modules WF1-WF10, and bring everything together in the complete INC-NE-2026-0915 investigation in WF13.
Get weekly detection and investigation techniques
KQL queries, detection rules, and investigation methods — the same depth as this course, delivered every Tuesday.
No spam. Unsubscribe anytime. ~2,000 security practitioners.