Disk, Memory, Network, and Log Artifacts
Key Takeaways
- Forensic artifacts are traces that help reconstruct activity, such as files, processes, connections, registry keys, and logs.
- Disk artifacts can show persistence, file access, downloads, deleted files, and user activity.
- Memory artifacts can reveal running processes, network connections, injected code, credentials, and encryption keys.
- Network artifacts show communication patterns, destinations, protocols, and possible data movement.
- Log artifacts provide event history, but they must be correlated and checked for gaps or tampering.
Disk, Memory, Network, and Log Artifacts
Artifacts are traces left by systems, users, applications, and attackers. Investigators use artifacts to answer questions: what ran, what changed, what was accessed, what communicated, and when did it happen?
Artifact Types
| Artifact source | Examples | Questions answered |
|---|---|---|
| Disk | Files, metadata, browser history, registry, startup items, deleted files | What was downloaded, created, modified, or configured? |
| Memory | Processes, loaded modules, network sockets, command lines, injected code | What was running at capture time? |
| Network | Packet capture, flow logs, DNS, proxy, firewall, VPN logs | What systems communicated and how much data moved? |
| Logs | Authentication, EDR, operating system, application, cloud audit events | Who did what, from where, and when? |
No single artifact is perfect. Disk can miss activity that never wrote to storage. Memory disappears quickly. Network logs may not include full packet contents. Logs can be incomplete or tampered with. Strong investigations correlate multiple sources.
Incident Timeline Example
09:02:11 email gateway delivered attachment benefits_update.xlsm to user snguyen
09:07:44 disk artifact shows file opened from Downloads
09:07:49 memory capture shows excel.exe spawned powershell.exe
09:07:52 command line contains encoded script
09:07:55 DNS log shows query to sync-profile-example.net
09:07:58 firewall log shows outbound TLS to 198.51.100.45
09:08:20 registry run key created for updater.exe
This timeline combines email, disk, memory, DNS, firewall, and registry evidence. Together they support a stronger conclusion than any single alert.
Evidence Table
| Question | Best artifact candidates |
|---|---|
| Did the user open the attachment? | File access metadata, application recent files, EDR process history |
| What command executed? | EDR command line, PowerShell logs, memory process list |
| Did the host contact command infrastructure? | DNS logs, firewall logs, proxy logs, packet capture |
| Was persistence installed? | Startup folder, services, scheduled tasks, registry run keys |
| Was data staged or compressed? | Archive files, temp directories, shell history, EDR file events |
| Was cloud data accessed? | Cloud audit logs, identity logs, application logs |
Common Log Gaps
Investigators must notice missing data. A host with no logs after a suspicious process start may have lost network connectivity, had its agent stopped, or suffered log tampering. A perfect-looking timeline with no failed logins may be incomplete if identity logs were retained for only one day.
Common Traps
- Assuming no log means no activity.
- Looking only at disk when malware ran mostly in memory.
- Treating a DNS lookup as proof that a full connection succeeded.
- Ignoring time zone differences between logs.
- Forgetting that NAT, proxies, and shared accounts can blur attribution.
- Building a conclusion from one artifact without corroboration.
Which artifact is most likely to show processes that were running at the time of capture?
Which artifacts can help determine whether a suspicious attachment executed? Select three.
Select all that apply
A DNS log shows a lookup for a suspicious domain. What is the best interpretation?