SANS Digital Forensics and Incident Response Blog

Digital Forensics: Introducing ForensicArtifacts.com

??There always seems to be common questions asked on forensic mailing lists, forums, and blogs. One of the common questions is, "Does anyone have contact information for ABC company?" Another question commonly seen is, "Has anyone dealt with ABC program or have a whitepaper for it?" The first question is solved by the ISP list at Search.org. The second question didn't have a unified source of information — until now.

The website ForensicArtifacts.com was recently launched to provide a reference database for forensic examiners looking for specific information on artifacts of operating systems, programs, and user activity. The website was set up in blog format allowing examiners to subscribe to the RSS feed or simply visit the site and use the global search functions. There is also a Twitter feed that will keep examiners up to date with the latest submissions.

The main goal for this site is to become a useful resource for the forensic community. As such, we also rely on the community for submissions. Please take a look at our submit page and consider donating some of your time and expertise to populating the website.

Once Forensic Artifacts has a significant following, several other goals will be accomplished. We will be able to provide a monthly report of user activity including the most viewed artifacts and the most searched for items. This should give examiners insight into rising activity of popular programs or newly circulated malware. The site will also be able to feed forensic triage programs (mainly WindowsRipper) by providing intelligence and common artifacts to look for.

As this is truly meant to become a community resource, we welcome any and all input from the forensic community. Please feel free to let us know if you think something should be added or changed. You can leave a comment here or send an email to Matt Churchill or Joe Garcia.

Matt Churchill currently manages the digital forensics practice at Continuum Worldwide and has earned the GCFA, CFCE, CCE, and CISSP certifications. You can follow him on Twitter at @matt_churchill.

Joe Garcia is a Law Enforcement Officer with over 16 years of experience, the last 4 of which he has been assigned to conduct computer crime investigations and digital forensics. He holds the GIAC GSEC Gold, GCIH Silver and AccessData ACE certifications. You can follow Joe on Twitter at @jgarcia62. Joe is also the host of the Cyber Crime 101 podcast, which can be found at www.cybercrime101.com and @cybercrime101 on Twitter.

4 Comments

Posted August 18, 2010 at 3:11 PM | Permalink | Reply

Linux Geek

Is a blog really the best format for that? Additionally, how about an open license so it can't do a CDDB and disappear?

Posted August 18, 2010 at 4:55 PM | Permalink | Reply

Matt Churchill

That's a fair question and the answer is: probably not. However, I chose a blog format because it was easy to set up, easy to maintain, and easy for people to follow the posts and search through them. It was also the least expensive for me to setup in terms of both time and money.
The information provided on the site is publicly available and anyone can do whatever they want with it. I don't plan on it disappearing anytime soon.
Thanks for the comments.

Posted August 18, 2010 at 9:28 PM | Permalink | Reply

Geoff Black

Agree with Linux Geek ''" you're going to have fun migrating this later when the site inevitably grows and the blog format outlives its usefulness. It's all about implementation, ease of use, and quality of presentation. Be careful with the categories list / interface as you may see it grow out of control if you're not careful and judicious. Further on to that point, I'd like to see a way to browse tags, not just search for them ''" this could alleviate categorization issues. Great idea, glad to see the beginnings of a new repository out there.

Posted August 19, 2010 at 1:55 PM | Permalink | Reply

Matt Churchill

Thanks, Geoff. I added a Tag Cloud, which probably isn't exactly what you're looking for but we can refine it as we go along.
Appreciate the comments.