Skip to content

Forensic Artifact Reference

A working catalog of digital forensic artifacts — what they are, where to find them, and how they help investigators. Curated from real-world DFIR practice.

35 artifacts documented - updated as validated coverage expands.

Windows

13 artifacts
HighRegistry

Shell Bags

Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.

T1083
CriticalExecution

Amcache.hve

Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.

T1204.002T1059
HighExecution

UserAssist

Per-user registry key recording GUI-launched programs with ROT13-obfuscated paths, focus count, and last execution time — proving interactive user execution of a binary.

T1204.002
MediumExecution

MUICache

Per-user cache of application display names written the first time a binary runs. Every entry is evidence that the user ran that binary at least once.

T1204.002
CriticalExecution

Prefetch Files

Windows Prefetch stores up to the last 8 execution times of a binary along with loaded DLLs and volume information — a foundational timeline artifact for Windows investigations.

T1204.002T1036
CriticalExecution

Shimcache (AppCompatCache)

Application Compatibility Cache stores up to 1024 executed binary records with full path and last-modified timestamp. Persists even when a binary is deleted.

T1059T1204.002
HighExecution

BAM / DAM

Background Activity Moderator and Desktop Activity Moderator record last-execution timestamps per user SID for every binary the system considers interactive.

T1204.002
MediumBrowser

TypedURLs

Internet Explorer / Edge Legacy registry key storing the last 25 URLs a user typed manually into the address bar — stronger evidence than a general visit record.

T1071.001
MediumSystem

RecentDocs

Explorer tracks recently opened files per extension in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, including files on removed storage.

T1083
MediumExecution

AppCompatCache Flags

Application compatibility flags set per-binary by Windows and optionally by malware to modify how executables run. Layered onto Shimcache telemetry.

T1546.011
HighNetwork

WiFi Profile Registry

Windows stores every SSID a machine has connected to under HKLM, along with connection timestamps and MAC address of the AP — strong location evidence.

T1016
MediumNetwork

Windows Bluetooth Pairings

Windows records paired Bluetooth devices under HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices, preserving MAC and name after unpairing.

T1011.001
CriticalNetwork

USB Device Connection History

Windows records every USB mass-storage device plugged in, keyed by vendor/product ID and serial number, with first- and last-connection timestamps.

T1052.001T1091

macOS

6 artifacts
CriticalSystem

KnowledgeC.db

CoreDuet database that logs per-user application focus, device lock/unlock, USB attach, battery, Bluetooth pairing, and Siri events — a macOS/iOS timeline goldmine.

T1083T1057
HighSystem

TCC Database

Transparency, Consent, and Control SQLite database recording which applications were granted access to camera, microphone, contacts, photos, screen recording, and full-disk access.

T1098T1123
HighFilesystem

FSEvents

Per-volume filesystem change journal. Records creation, deletion, rename, and ownership changes for every file — the macOS analogue of USN journal.

T1070.004T1083
HighFilesystem

LaunchServices Quarantine Events

Per-user SQLite log of every file downloaded through a quarantine-aware application (Safari, Chrome, Mail, AirDrop) with source URL and user agent.

T1105T1566.001
CriticalSystem

Unified Logs

Apple's unified logging framework stores structured system, security, and application events in compressed .tracev3 files for roughly 30 days of retention.

T1562.001T1070
MediumNetwork

macOS Bluetooth plist

System Bluetooth configuration plist records paired devices with their MAC address, display name, device type, and last seen / last connected timestamps.

T1011.001

iOS

4 artifacts
CriticalMessenger

iOS SMS / iMessage (sms.db)

iOS stores SMS, MMS, and iMessage conversations in a single SQLite database including timestamps, read receipts, attachments, and reply threading.

HighMessenger

iOS Call History

CallHistory.storedata logs every cellular, VoIP, FaceTime, and third-party call (WhatsApp, KakaoTalk) with duration, direction, and contact information.

HighBrowser

iOS Safari History

Safari History.db records visits with timestamp, URL, title, visit count, and referrer. Combined with tabs.db it reconstructs a user's mobile browsing session.

T1071.001
CriticalMessenger

KakaoTalk iOS

Korea's dominant messenger. iOS client stores chatrooms, messages, contacts, and attachment metadata in SQLite databases inside the app sandbox.

Android

4 artifacts
CriticalMessenger

Android SMS (mmssms.db)

Android Telephony provider stores SMS and MMS in a single SQLite database accessible via content providers, often recoverable even after app reinstall.

HighMessenger

Android Call Log

contacts2.db logs every incoming, outgoing, missed, and rejected call with duration, contact, SIM slot, and call type including voicemail.

HighNetwork

Android WiFi History

WifiConfigStore.xml and netpolicy.xml record every network the device connected to, including SSID, BSSID (MAC), and encryption type — strong location inference.

T1016
CriticalMessenger

KakaoTalk Android

Android client of Korea's dominant messenger. Chatroom list, friends, multimedia thumbnails, and message ledgers are stored in SQLite databases under app data.

Cross-platform

3 artifacts
CriticalMessenger

KakaoTalk PC

The Windows desktop client of KakaoTalk stores chat history, contacts, and profile metadata in the user's AppData directory, each per account profile.

HighMessenger

Telegram Desktop

Telegram Desktop stores cached chat messages, media, and session metadata in tdata/ — multimedia cache often survives server-side deletion.

HighMessenger

LINE PC

LINE Desktop (Japan's dominant messenger) stores cached chat history, stickers, and call logs in user AppData — critical for cases involving Japanese-language evidence.

Linux

5 artifacts
CriticalExecution

Bash Shell History

Per-user record of every interactive shell command executed by Bash, written to ~/.bash_history on logout (or in real time when HISTTIMEFORMAT and PROMPT_COMMAND are configured).

T1059.004T1552.003
HighSystem

Linux Syslog

Plain-text system event log written by rsyslog or syslog-ng, recording kernel messages, daemon output, cron jobs, and (on older distros) authentication events. Standard format on Debian/Ubuntu and RHEL/CentOS systems without journald-only logging.

T1070.002T1562.006
CriticalSystem

systemd Journal (journald)

Binary, structured, indexed log store written by systemd-journald. Contains kernel ring buffer, dmesg, all unit (service) output, and authenticated metadata such as UID, GID, PID, command line, and SELinux context for every entry.

T1070.002T1078.003
CriticalSystem

Linux Auth Log

Authentication and authorization events emitted by PAM-aware services — sshd logins, sudo invocations, su attempts, screen unlocks, and polkit decisions. The first place to look when scoping a Linux compromise.

T1110T1078.003T1548.003
HighExecution

Linux Cron & Scheduler Artifacts

Time-based job scheduler configuration (system and per-user crontabs, drop-in directories) plus the execution log written by cron/anacron. Key artifact for persistence detection on Linux servers.

T1053.003T1037

Ready to analyze your evidence?

unJaena AI parses every artifact in this catalog — and 200+ more — automatically, and writes the incident report for you.

Start free analysis