Sriyal Mendis

DOI: https://doi.org/10.1080/00450618.2024.2324752

2024-04-30

Australian Journal of Forensic Sciences

Abstract:As technology evolves so do challenges faced by the digital forensic examiner. An increasingly frequent obstacle appearing now is the BitLocker encryption in conjunction with the Trusted Platform Module (TPM). The roll out of Windows 11 made having an initialised TPM (2.0) a mandatory prerequisite before being able to install Windows 11. Tackling the TPM is going to be one of the major issues encountered by the digital forensic computer examiner in the future as Windows 10 support ends in 2025 (Microsoft, 2024). This paper describes a method for accessing the BitLocker protected partition of a windows computer in a short time using minimal equipment in a forensically sound manner. As a result BitLocker encrypted partitions of physical images can be decrypted using recovery keys obtained via compliance or brute force of the users password or pin.

medicine, legal

Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Yingxin Cheng,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1016/j.ins.2016.07.019

IF: 8.1

2016-01-01

Information Sciences

Abstract:The results of memory forensics can not only be used as evidence in court but are also beneficial for analyzing vulnerability and improving security. Thus, memory forensics has been widely used in many fields, including cloud security. Traditional memory forensics, usually an after-the-fact method, is time-consuming and often loses important transient information. Thus, live methods, which investigate memory directly, are presented. However, most of them are kernel based and easy to detect or confuse. Although virtualization technology can overcome these shortages, it must be preinstalled and has high cost. To solve these problems, we propose a lightweight live memory forensic framework based on hardware virtualization. It can build a virtualization environment on-the-fly. The operating system will be migrated to the virtual machine without termination or modifications. Then, the forensic methods can acquire and analyze evidence at the hypervisor level. Two novel forensic methods are proposed to verify the effectiveness of the framework. They focus on acquiring accurate data and system behavior, respectively. The main ideas are guaranteeing data accuracy in multi-view extraction and analyzing memory behavior in a para-synchronous style. Experiments have proved that these methods are able to obtain reliable and integrated evidence at an acceptable cost.

Dabin Joo,Jiwon Lee,Doowon Jeong

DOI: https://doi.org/10.1111/1556-4029.15240

Abstract:Anti-forensic technology can play an effective role in protecting information, but it can make forensic investigations difficult. Specifically, file-wiping permanently erases evidence, making it challenging for investigators to determine whether a file ever existed and prolonging the investigation process. To address this issue, forensic researchers have studied anti-forensic techniques that detect file-wiping activities. Many previous studies have focused on the effects of file-wiping tools on $MFT, $LogFile, and $DATA, rather than on Windows artifacts. Additionally, previous studies that have examined Windows artifacts have considered different artifacts, making it difficult to study them in a comprehensive manner. To address this, we focused on analyzing traces in 13 Windows artifacts of 10 file-wiping tools' operations in the Windows operating system comprehensively. For our experiments, we installed each file-wiping tool on separate virtual machines and checked the traces that the tools left behind in each artifact. We then organized the results in a database format. Our analysis revealed that most of the tools left traces on other artifacts, except for JumpList, Open&SavePidlMRU, and lnk. There were also some cases where traces remained on the other three artifacts. Based on our research, forensic investigators can quickly identify whether a file-wiping tool has been used, and it can assist in decision-making for evidence collection and forensic triage.

Mahfudl Nasrulloh,Sunardi Sunardi,Riadi,Imam Mahfudl Nasrulloh,Imam Riadi

DOI: https://doi.org/10.25126/jtiik.2019651516

2019-10-08

Jurnal Teknologi Informasi dan Ilmu Komputer

Abstract:Teknologi komputer pada empat tahun terahir ini mengalami perkembangan yang pesat. Bersamaan dengan itu juga berdampak negatif salah satunya adalah berupa kejahatan komputer. Kejahatan komputer akan meninggalkan jejak aktivitas kejahatan, maka perlu dilakukan analisa dengan ilmu dan metode forensik untuk mendapatkan barang bukti. Bagaimana jika terjadi kejahatan komputer pada media penyimpanan komputer berjenis non-volatile memory dan dilakukan secara live forensik . Pada penelitian ini dilakukan proses forensik pada Solid State Drive (SSD) dengan framework Grr Rapid Response pada kasus kehilangan data (lost data) suatu organisasi. Langkah kerja forensik mengimplementasikan dari National Institute of Standards Technology (NIST). Framework Grr Rapid Response digunakan untuk memberikan tanggapan terhadap insiden forensik digital yang difokuskan pada lingkungan forensik jarak jauh, f ramework ini berbasis arsitektur client server . Hasil penelitian ini menunjukkan langkah kerja forensik NIST dapat diimplementasikan pada proses pengambilan bukti digital dengan metode akuisisi secara live forensik, kemampuan tool forensik pada proses eksaminasi Grr Rapid Response pada Workstation ( Client Grr) dengan media simpan SSD , bukti digital dapat ditemukan dan dikembalikan. Bukti digital yang dapat dikembalikan berupa file dokumen, dan hasil validasi pada bukti digital tersebut memiliki nilai hash yang sama dari dua algoritma validasi bukti digital yang diimplementasikan, MD5 dan SHA-1. Sehingga hasil integritas dari dokumen tersebut menunjukkan bahwa bukti digital tersebut identik. Abstract Computer technology in the last four years has experienced rapid development. At the same time, it also has a negative impact, one of which is a computer crime. Computer crime will leave traces of criminal activity, so it is necessary to analyze with forensic science and methods to obtain evidence. What if there is a computer crime on a computer storage medium of a type of non-volatile memory and carried out live forensics In this study a forensic process on Solid State Drive (SSD) was carried out with the Grr Rapid Response framework for lost data in an organization. The forensic work step is implemented from the National Institute of Standards Technology (NIST). The Grr Rapid Response Framework is used to provide responses to incidents of digital forensics focused on remote forensic environments, this framework is based on a client server architecture. The results of this study indicate that NIST's forensic work steps can be implemented in the process of taking digital evidence with live forensic acquisition methods, the ability of forensic tools in the Grr Rapid Response examination process on Workstations (Client Grr) with SSD storage media, digital evidence can be found and returned. Digital evidence that can be returned is a document file, and the results of the validation of digital evidence have the same hash value from the two digital proof validation algorithms implemented, MD5 and SHA-1. So the results of the integrity of the document so that the digital evidence is identical.

Yuhang Gao,Tianjie Cao

2010-01-01

Abstract:Physical memory is a useful information source in a forensic examination, but the research on memory forensics is still in the early stage. Once the processes are located, computer forensic personnel can acquire the opened files, the network connections via further processing. This paper proposed methods of searching for process descriptors in Linux dump file. Our experiments shows that our methods are able to locate hidden, terminated and even processes before rebooted under some circumstances. An analysis of performance between different methods is made and results show the brute force method find the most while method based on slub allocator is highly efficient. Besides, our experiments shows a process survives from minutes to hours after it is terminated in Linux 2.6.23 and slub allocation obviously has an impact on memory forensics. These methods proposed to searching for processes not only can apply to Linux memory forensics in locating hidden, exiting processes, but also can be of interest to the malware analyzing. Keywords-memory dump file; Linux memory analysis; digital evidences; file extraction

Zhengwei Qi,Chengcheng Xiang,Ruhui Ma,Jian Li,Haibing Guan,David S. L. Wei

DOI: https://doi.org/10.1109/tcc.2016.2535295

IF: 5.697

2017-01-01

IEEE Transactions on Cloud Computing

Abstract:Live forensics is an important technique in cloud security but is facing the challenge of reliability. Most of the live forensic tools in cloud computing run either in the target Operating System (OS), or as an extra hypervisor. The tools in the target OS are not reliable, since they might be deceived by the compromised OS. Furthermore, traditional general purpose hypervisors are vulnerable due to their huge code size. However, some modules of a general purpose hypervisor, such as device drivers, are indeed unnecessary for forensics. In this paper, we propose a special purpose hypervisor, called ForenVisor, which is dedicated to reliable live forensics. The reliability is improved in three ways: reducing Trusted Computing Base (TCB) size by leveraging a lightweight architecture, collecting evidence directly from the hardware, and protecting the evidence and other sensitive files with Filesafe module. We have implemented a proof-of-concept prototype on the Windows platform, which can acquire the process data, raw memory, and I/O data, such as keystrokes and network traffic. Furthermore, we evaluate ForenVisor in terms of code size, functionality, and performance. The experiment results show that ForenVisor has a relatively small TCB size of about 13 KLOC, and only causes less than 10 percent performance reduction to the target system. In particular, our experiments verify that ForenVisor can guarantee that the protected files remain untampered, even when the guest OS is compromised by viruses, such as ‘ILOVEYOU’ and Worm.WhBoy. Also, our system can be loaded as a hypervisor without needing to pause the target OS. This allows it to not only avoid destructing but also to gather the live evidence of the target OS. We also posted the source code of ForenVisor on Github.

Igor Korkin,Ivan Nesterov

DOI: https://doi.org/10.48550/arXiv.1506.04129

2015-06-13

Abstract:Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system - Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.

Cryptography and Security

Roberto di Pietro,Federico Franzoni,Flavio Lombardi

DOI: https://doi.org/10.48550/arXiv.1601.05851

2016-01-22

Operating Systems

Abstract:Effectively protecting the Windows OS is a challenging task, since most implementation details are not publicly known. Windows has always been the main target of malwares that have exploited numerous bugs and vulnerabilities. Recent trusted boot and additional integrity checks have rendered the Windows OS less vulnerable to kernel-level rootkits. Nevertheless, guest Windows Virtual Machines are becoming an increasingly interesting attack target. In this work we introduce and analyze a novel Hypervisor-Based Introspection System (HyBIS) we developed for protecting Windows OSes from malware and rootkits. The HyBIS architecture is motivated and detailed, while targeted experimental results show its effectiveness. Comparison with related work highlights main HyBIS advantages such as: effective semantic introspection, support for 64-bit architectures and for latest Windows (8.x and 10), advanced malware disabling capabilities. We believe the research effort reported here will pave the way to further advances in the security of Windows OSes.

Arash Habibi Lashkari,Ali A. Ghorbani,Mahdi Daghmehchi Firoozjaei

DOI: https://doi.org/10.1080/23742917.2022.2100036

2022-07-28

Journal of Cyber Security Technology

Abstract:As part of the incident response process, the memory forensics tools extract forensic artifacts and display them. Many memory forensics analysis tools are being developed to address the challenges of modern cybercrimes. Investigations are successful when they have an accurate analysis provided by a memory forensics tool that consumes resources reasonably. This paper presents a comparative analysis of three dominant memory forensics tools: Volatility, Autopsy, and Redline. We consider three malware behaviour scenarios and evaluate the forensics capabilities of these tools in each. We also experimentally measure the CPU and memory consumption of each for memory analysis in other operational states. We find that Volatility provides the most accurate memory analysis. Our measurements show that Redline consumes more CPU resources, and Autopsy needs more memory resources to analyze a memory image file. The results of our investigation will hopefully lead to tool improvement and more informed choices by users.

Imam Riadi,Rusydi Umar,Imam Mahfudl Nasrulloh

DOI: https://doi.org/10.21831/elinvo.v3i1.19308

2018-07-05

Abstract:Kejahatan komputer memiliki bukti digital dari tindak kejahatan dan perlu dilakukan analisa. Perkembangan teknologi komputer yang demikian pesat telah membawa perubahan pada bidang perangkat keras. Pada perangkat keras saat ini terdapat Solid State Drive (SSD) sebagai media penyimpanan utama komputer, karena teknologi SSD memiliki kecepatan akses data yang cepat. Penggunaan software pembeku drive pada komputer sering dilakukan oleh teknisi komputer, karena dapat menghemat biaya perawatan. Software tersebut digunakan untuk melindungi komputer dari perubahan yang tidak dikehendaki, sistem komputer yang tanam software tersebut menjadikan perubahan yang terjadi pada sistem komputer tidak disimpan pada media penyimpanan setelah komputer dimatikan. Ketika hal ini terjadi apa yang harus dilakukan oleh penyidik forensik digital. Penelitian ini membahas perbandingan terkait tool Forensik yang digunakan untuk proses eksaminasi dan analisa. Pengambilan salinan bukti digital dilakukan dengan metode forensik statik, sedangkan tahapan penelitian dan analisa mengadaptasi dan mengimplementasikan metode forensik dari National Institute of Justice (NIJ) untuk mendapatkan bukti digital. Software pembeku drive seperti Shadow Defender terbukti berpengaruh terhadap praktik eksaminasi forensik digital terhadap didapatkannya bukti-bukti digital, dengan kondisi tersebut prosentase keberhasilannya merestorasi file hanya 28,7% sehingga dapat menjadi hambatan dalam proses forensik digital.

Denis Pogonin,Igor Korkin

DOI: https://doi.org/10.48550/arXiv.2210.02821

2022-10-06

Abstract:Windows OS is facing a huge rise in kernel attacks. An overview of popular techniques that result in loading kernel drivers will be presented. One of the key targets of modern threats is disabling and blinding Microsoft Defender, a default Windows AV. The analysis of recent driver-based attacks will be given, the challenge is to block them. The survey of user- and kernel-level attacks on Microsoft Defender will be given. One of the recently published attackers techniques abuses Mandatory Integrity Control (MIC) and Security Reference Monitor (SRM) by modifying Integrity Level and Debug Privileges for the Microsoft Defender via syscalls. However, this user-mode attack can be blocked via the Windows 'trust labels' mechanism. The presented paper discovered the internals of MIC and SRM, including the analysis of Microsoft Defender during malware detection. We show how attackers can attack Microsoft Defender using a kernel-mode driver. This driver modifies the fields of the Token structure allocated for the Microsoft Defender application. The presented attack resulted in disabling Microsoft Defender, without terminating any of its processes and without triggering any Windows security features, such as PatchGuard. The customized hypervisor-based solution named MemoryRanger was used to protect the Windows Defender kernel structures. The experiments show that MemoryRanger successfully restricts access to the sensitive kernel data from illegal access attempts with affordable performance degradation.

Cryptography and Security,Operating Systems

Zlatan Morić,Vedran Dakić,Ana Kapulica,Damir Regvart

DOI: https://doi.org/10.3390/electronics13224546

IF: 2.9

2024-11-27

Electronics

Abstract:This article delves into Microsoft Azure's cyber forensic capabilities, focusing on the unique challenges in cloud security incident investigation. Cloud services are growing in popularity, and Azure's shared responsibility model, multi-tenant nature, and dynamically scalable resources offer unique advantages and complexities for digital forensics. These factors complicate forensic evidence collection, preservation, and analysis. Data collection, logging, and virtual machine analysis are covered, considering physical infrastructure restrictions and cloud data transience. It evaluates Azure-native and third-party forensic tools and recommends methods that ensure effective investigations while adhering to legal and regulatory standards. It also describes how AI and machine learning automate data analysis in forensic investigations, improving speed and accuracy. This integration advances cyber forensic methods and sets new standards for future innovations. Unified Audit Logs (UALs) in Azure are examined, focusing on how Azure Data Explorer and Kusto Query Language (KQL) can effectively parse and query large datasets and unstructured data to detect sophisticated cyber threats. The findings provide a framework for other organizations to improve forensic analysis, advancing cloud cyber forensics while bridging theoretical practices and practical applications, enhancing organizations' ability to combat increasingly sophisticated cybercrime.

engineering, electrical & electronic,computer science, information systems,physics, applied

Khushi Gupta,Phani Lanka,Cihan Varol

DOI: https://doi.org/10.1111/1556-4029.15548

2024-05-30

Journal of Forensic Sciences

Abstract:In the last decade, the market share and user base of social media applications have witnessed significant growth. However, this surge in popularity has inadvertently drawn the attention of criminals aiming to exploit these platforms for illicit activities. The forensic examination of these applications emerges as a pivotal avenue for uncovering valuable insights into criminal behavior and identifying suspects. Discord, a social media platform, has become a significant focal point for such illicit activities. In this paper, we examine the remnants of Discord on both Windows and Linux operating systems, employing storage, memory, and network analysis techniques to review the remnants of Discord. Our investigation reveals a range of crucial artifacts that have been successfully recovered across all three areas of analysis, including login and payment details, chat history, account information, and much more. Collectively, these artifacts constitute a valuable resource for forensic investigations, allowing the reconstruction of most of the user's activity.

medicine, legal

Jenny Ottmann,Frank Breitinger,Felix Freiling

DOI: https://doi.org/10.1145/3628600

IF: 2.717

2023-10-20

ACM Transactions on Privacy and Security

Abstract:Memory forensics is concerned with the acquisition and analysis of copies of volatile memory (memory dumps). Based on an empirical assessment of observable inconsistencies in 360 memory dumps of a running Linux system, we confirm a state of overwhelming inconsistency in memory forensics: Almost a third of these dumps had an empty process list and was therefore obviously incomplete. Out of those dumps that were analyzable, almost every second dump showed some form of inconsistency that potentially impacts the interpretation of the dump in a forensic investigation. These results are based on a new way to estimate the level of causal consistency of a memory dump. The factors influencing these inconsistencies are less clear but in general correlate with the level of concurrency (system load and number of threads).

computer science, information systems

Yong Gang Li,Chao Yuan Cui,Yun Wu,Bing Yu Sun

DOI: https://doi.org/10.12783/dtcse/iceiti2016/6143

2016-01-01

Abstract:Virtualization is increasing rapidly recent years. Virtual machines have become not only attack objects but also criminal tools for computer crimes. Memory forensics technology can collect the evidence of virtual machine crimes effectively. Traditional memory forensics tools are deployed into the host where attackers always try to hide or delete the data generated during attack process. As a result, they can be bypassed or cheated in virtual machines. Besides, to get the complete information traditional tools always expand the forensics scale leading to massive redundant information. For the sake of these problems, we propose a new method of virtual machine memory forensics based on event trigger mechanism named VMMF. The experiment results show that the new method can get the code section, data section, kernel stack content, dynamic-link library file, and execution path of the suspicious process in Linux. It just focuses on the suspicious process content reducing redundant information.

Muhammad Rashid Naeem,Mansoor Khan,Ako Muhammad Abdullah,Fazal Noor,Muhammad Ijaz Khan,Muhammad Asghar Khan,Insaf Ullah,Shah Room

DOI: https://doi.org/10.1155/2022/9156514

2022-10-03

Mobile Information Systems

Abstract:With the introduction of 4G/5G Internet and the increase in the number of users, the malicious cyberattacks on computing devices have been increased making them vulnerable to external threats. High availability windows servers are designed to ensure delivery of consistent services such as business activities and e-services to their customers without any interruption. At the same time, a cyberattack on any of the clustered computer can put servers and customer devices in danger. A memory dump mechanism can capture the contents of memory in the event of a system or device crash such as corrupted files, damaged hardware, or irregular CPU power consumption. In this paper, we present a smart memory forensics scheme to recognize malicious attacks over high availability servers by capturing the memory dump of suspicious processes in the form of RGB visual images. Second, the local and global properties of malware images are captured using local binary patterns (LBP) and gray-level co-occurrence matrices (GLCM). A state-of-the-art t-distributed stochastic neighbor embedding scheme (t-SNE) is applied to reduce data dimensionality and improve the detection time of unknown malwares and their variants. An optimized CNN model is designed to predict malicious files harming servers or user devices. Throughout this study, we employed public data set of 4294 malicious samples covering malware variants and benign executables. A baseline is prepared to compare the performance of proposed model with state-of-the-art malware detection methods. The combined LBP + GLCM feature extraction along with t-SNE dimensionality reduction scheme further improved the detection accuracy by 98%, whereas the detection time is also increased by 73x. The overall performance shows that memory forensics is more effective for malware detection in terms accuracy and response time.

computer science, information systems,telecommunications

Hassan Jalil Hadi,Irshad ullah,Sheetal Harris

2023-07-10

Abstract:Traditional hard drives consisting of spinning magnetic media platters are becoming things of the past as with the emergence of the latest digital technologies and electronic equipment, the demand for faster, lighter, and more reliable alternate storage solutions is imperative. To attain these requirements, flash storage technologies like Solid State Drive (SSD) has overtaken traditional hard disk drives. In a forensic analysis of flash storage devices, forensic investigators are facing severe challenges for the reason that the sovereign behavior of solid-state storage media does not look favorable compared to traditional storage media devices. Wear Leveling, a fundamental mechanism in Solid State Drive (SSD), plays a severe challenge that most often destroys forensic evidence in many cases. It makes it complicated for forensic investigators to recover the necessary evidence. Persistence of deleted data in flash storage media depends on various factors like the Garbage Collection process, TRIM command, flash media type, manufacturer, capacity, file system, type of file saved, and the Operating System, etc. In view of this, extensive experiments conducted to identify the probability of data recovery and carving. Analyzed effects of Wear Leveling and Garbage Collection processes in Solid State Drive (SSD) of different manufacturers, having the same storage capacities and with a different type of files utilized. In conclusion, experimental findings established the fact that Wear Leveling in solid-state media can obfuscate digital evidence, and a conventional assumption regarding the behavior of storage media is no more valid. Moreover, data persistency also depends on the manufacturers, time-lapse of forensic analysis after data deletion, type of files, and size of files stored in Solid State Drives (SSD).

Cryptography and Security,Information Theory

Asad Arfeen,Muhammad Asim Khan,Obad Zafar,Usama Ahsan

DOI: https://doi.org/10.1002/cpe.6672

2021-10-11

Concurrency and Computation: Practice and Experience

Abstract:Ransomware is an emerging category of malware that locks computer data via powerful cryptographic algorithms. The global propagation of ransomware is a serious threat for individuals and organizations. The banking sector and financial institutions are the prime targets of such ransomware attacks. In case of such an attack, the field of digital forensics helps in estimation of the severity and data loss caused by the attack. Traditional digital forensics investigations make use of static or behavioral analysis to detect malware in infected systems. However, these procedures are challenged by malware obfuscation techniques. Malicious processes can stay inactive and undetected if only a single memory dump is analyzed. Thus, there is a need to collect numerous memory dumps of an individual program that can help with comprehensive and accurate analysis. In this article, we have developed a framework for volatile memory acquisition at regular time intervals to analyze the behavior of individual processes in memory. Through memory forensics, salient features are extracted from the infected memory dumps. These features can be utilized to classify malicious and benign processes efficiently through machine learning as compared to conventional techniques.

Herschel Bowling,Kathryn Seigfried-Spellar,Umit Karabiyik,Marcus Rogers

DOI: https://doi.org/10.1111/1556-4029.15208

Abstract:Microsoft released a new communication platform, Microsoft Teams, in 2017. Due in part to COVID-19, the popularity of communication platforms, like Microsoft Teams, increased exponentially. Given its user base and increased popularity, it seems likely that digital forensic investigators will encounter cases where Microsoft Teams is a relevant component. However, because Microsoft Teams is a relatively new application, there is limited forensic research on the application particularly focusing on mobile operating systems. To address this gap, an analysis of data stored at rest by Microsoft Teams was conducted on the Windows 10 operating system as well as on Android and Apple iOS mobile operating systems. Basic functionalities, such as messaging, sharing files, participating in video conferences, and other functionalities that Teams provides, were performed in an isolated testing environment. Cellebrite UFED Physical Analyzer and Magnet AXIOM Examine tools were used to analyze the mobile devices and the Windows device, respectively. Manual or non-automated investigation recovered, at least partially, the majority of artifacts across all three operating systems. In this study, a total of 77.6% of the populated artifacts were partially or fully recovered in the manual investigation. On the other hand, forensic tools used did not automatically recover many of the artifacts found with the manual investigation. Only 13.8% of artifacts were partially or fully recovered by the forensic tools across all three devices. These discovered artifacts and the results of the investigations are presented in order to aid digital forensic investigations.