フォレンジックアーティファクトリファレンス
デジタルフォレンジックのアーティファクトについて、内容、保存場所、調査での活用方法を整理した実務向けカタログです。
35件のアーティファクトを掲載中です。
Windows
13 件のアーティファクトShell Bags
Windows Explorer view preferences recorded per-folder in UsrClass.dat. Shell Bags prove a user navigated to a folder, even after the folder or attached volume is long gone.
Amcache.hve
Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.
UserAssist
Per-user registry key recording GUI-launched programs with ROT13-obfuscated paths, focus count, and last execution time — proving interactive user execution of a binary.
MUICache
Per-user cache of application display names written the first time a binary runs. Every entry is evidence that the user ran that binary at least once.
Prefetch Files
Windows Prefetch stores up to the last 8 execution times of a binary along with loaded DLLs and volume information — a foundational timeline artifact for Windows investigations.
Shimcache (AppCompatCache)
Application Compatibility Cache stores up to 1024 executed binary records with full path and last-modified timestamp. Persists even when a binary is deleted.
BAM / DAM
Background Activity Moderator and Desktop Activity Moderator record last-execution timestamps per user SID for every binary the system considers interactive.
TypedURLs
Internet Explorer / Edge Legacy registry key storing the last 25 URLs a user typed manually into the address bar — stronger evidence than a general visit record.
RecentDocs
Explorer tracks recently opened files per extension in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs, including files on removed storage.
AppCompatCache Flags
Application compatibility flags set per-binary by Windows and optionally by malware to modify how executables run. Layered onto Shimcache telemetry.
WiFi Profile Registry
Windows stores every SSID a machine has connected to under HKLM, along with connection timestamps and MAC address of the AP — strong location evidence.
Windows Bluetooth Pairings
Windows records paired Bluetooth devices under HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Devices, preserving MAC and name after unpairing.
USB Device Connection History
Windows records every USB mass-storage device plugged in, keyed by vendor/product ID and serial number, with first- and last-connection timestamps.
macOS
6 件のアーティファクトKnowledgeC.db
CoreDuet database that logs per-user application focus, device lock/unlock, USB attach, battery, Bluetooth pairing, and Siri events — a macOS/iOS timeline goldmine.
TCC Database
Transparency, Consent, and Control SQLite database recording which applications were granted access to camera, microphone, contacts, photos, screen recording, and full-disk access.
FSEvents
Per-volume filesystem change journal. Records creation, deletion, rename, and ownership changes for every file — the macOS analogue of USN journal.
LaunchServices Quarantine Events
Per-user SQLite log of every file downloaded through a quarantine-aware application (Safari, Chrome, Mail, AirDrop) with source URL and user agent.
Unified Logs
Apple's unified logging framework stores structured system, security, and application events in compressed .tracev3 files for roughly 30 days of retention.
macOS Bluetooth plist
System Bluetooth configuration plist records paired devices with their MAC address, display name, device type, and last seen / last connected timestamps.
iOS
4 件のアーティファクトiOS SMS / iMessage (sms.db)
iOS stores SMS, MMS, and iMessage conversations in a single SQLite database including timestamps, read receipts, attachments, and reply threading.
iOS Call History
CallHistory.storedata logs every cellular, VoIP, FaceTime, and third-party call (WhatsApp, KakaoTalk) with duration, direction, and contact information.
iOS Safari History
Safari History.db records visits with timestamp, URL, title, visit count, and referrer. Combined with tabs.db it reconstructs a user's mobile browsing session.
KakaoTalk iOS
Korea's dominant messenger. iOS client stores chatrooms, messages, contacts, and attachment metadata in SQLite databases inside the app sandbox.
Android
4 件のアーティファクトAndroid SMS (mmssms.db)
Android Telephony provider stores SMS and MMS in a single SQLite database accessible via content providers, often recoverable even after app reinstall.
Android Call Log
contacts2.db logs every incoming, outgoing, missed, and rejected call with duration, contact, SIM slot, and call type including voicemail.
Android WiFi History
WifiConfigStore.xml and netpolicy.xml record every network the device connected to, including SSID, BSSID (MAC), and encryption type — strong location inference.
KakaoTalk Android
Android client of Korea's dominant messenger. Chatroom list, friends, multimedia thumbnails, and message ledgers are stored in SQLite databases under app data.
クロスプラットフォーム
3 件のアーティファクトKakaoTalk PC
The Windows desktop client of KakaoTalk stores chat history, contacts, and profile metadata in the user's AppData directory, each per account profile.
Telegram Desktop
Telegram Desktop stores cached chat messages, media, and session metadata in tdata/ — multimedia cache often survives server-side deletion.
LINE PC
LINE Desktop (Japan's dominant messenger) stores cached chat history, stickers, and call logs in user AppData — critical for cases involving Japanese-language evidence.
Linux
5 件のアーティファクトBash Shell History
Per-user record of every interactive shell command executed by Bash, written to ~/.bash_history on logout (or in real time when HISTTIMEFORMAT and PROMPT_COMMAND are configured).
Linux Syslog
Plain-text system event log written by rsyslog or syslog-ng, recording kernel messages, daemon output, cron jobs, and (on older distros) authentication events. Standard format on Debian/Ubuntu and RHEL/CentOS systems without journald-only logging.
systemd Journal (journald)
Binary, structured, indexed log store written by systemd-journald. Contains kernel ring buffer, dmesg, all unit (service) output, and authenticated metadata such as UID, GID, PID, command line, and SELinux context for every entry.
Linux Auth Log
Authentication and authorization events emitted by PAM-aware services — sshd logins, sudo invocations, su attempts, screen unlocks, and polkit decisions. The first place to look when scoping a Linux compromise.
Linux Cron & Scheduler Artifacts
Time-based job scheduler configuration (system and per-user crontabs, drop-in directories) plus the execution log written by cron/anacron. Key artifact for persistence detection on Linux servers.