Disk, Memory, Network, and Log Artifacts
Key Takeaways
- Artifacts are traces (files, processes, connections, registry keys, logs) used to reconstruct what happened.
- Disk artifacts reveal persistence, downloads, deleted files, and user activity; memory reveals running state, injected code, and keys.
- Network artifacts show destinations, protocols, and data volume; logs supply who-did-what-when but can have gaps.
- No single artifact is conclusive; strong investigations correlate disk, memory, network, and log sources into one timeline.
- Missing data is itself a finding—absence of logs can mean a stopped agent, lost connectivity, or tampering, not absence of activity.
What Artifacts Tell You
Artifacts are the traces left behind by systems, users, applications, and attackers. Investigators use them to answer five questions: what ran, what changed, what was accessed, what communicated, and when did it happen. SY0-701 expects you to match each question to the artifact source most likely to hold the answer, and to recognize when one source alone is too weak to support a conclusion.
The Four Artifact Sources
| Source | Examples | Questions answered |
|---|---|---|
| Disk | Files, file metadata (MAC times), browser history, Windows Registry, prefetch, $MFT, deleted-file remnants, startup items | What was downloaded, created, modified, or configured? |
| Memory | Running processes, loaded DLLs, open network sockets, command lines, injected code, plaintext keys | What was executing at capture time? |
| Network | Full packet capture (PCAP), NetFlow, DNS queries, proxy, firewall, and VPN logs | Which systems communicated, over what protocol, and how much data moved? |
| Logs | Authentication, EDR, OS (Windows Event/syslog), application, and cloud audit events | Who did what, from where, and when? |
Each source has blind spots. Disk misses fileless activity that never wrote to storage. Memory vanishes seconds after power-off. Network logs may lack packet payloads (especially under TLS). Logs can be incomplete, rotated, or tampered with. That is why corroboration across sources is the recurring exam theme.
Disk Detail: MAC Times and the Registry
File metadata records MAC times — Modified, Accessed, and Created (Windows adds an Entry-changed value, giving MACE in NTFS). Comparing these timestamps to a download or process event helps confirm execution. The Windows Registry stores persistence: Run/RunOnce keys, services, and scheduled tasks survive reboots and are prime hunting ground for attacker footholds.
Incident Timeline Example
09:02:11 email gateway delivered benefits_update.xlsm to user snguyen
09:07:44 disk MAC time shows file opened from Downloads
09:07:49 memory capture shows excel.exe spawned powershell.exe
09:07:52 EDR command line contains base64-encoded script
09:07:55 DNS log shows query to sync-profile-example.net
09:07:58 firewall log shows outbound TLS to 198.51.100.45
09:08:20 Registry Run key created for updater.exe (persistence)
This fuses email, disk, memory, EDR, DNS, firewall, and Registry evidence. Together they support a far stronger conclusion than any single alert, and they reveal the parent-child process chain (Office spawning PowerShell) that is a classic malicious-macro signature.
Matching Questions to Artifacts
| Investigative question | Best artifact candidates |
|---|---|
| Did the user open the attachment? | MAC times, application recent-files list, EDR process history |
| What command executed? | EDR command line, PowerShell ScriptBlock logs, memory process list |
| Did the host reach command-and-control? | DNS, proxy, firewall logs, PCAP |
| Was persistence installed? | Startup folder, services, scheduled tasks, Registry Run keys |
| Was data staged or compressed? | Archive files, temp directories, shell history, EDR file events |
| Was cloud data accessed? | Cloud audit logs, identity-provider sign-in logs |
Memory Detail: Why RAM Is Gold
Memory forensics is emphasized on SY0-701 because modern attacks are increasingly fileless — malicious code runs entirely in RAM (for example, a PowerShell payload reflectively loaded into memory) and never touches disk, so a disk image alone would show nothing. A memory capture can reveal the malicious process, its command line, the parent that spawned it, open sockets to command-and-control, injected code in a legitimate process (process hollowing), and even plaintext credentials or decryption keys that the operating system holds in cleartext while in use.
Tools that capture RAM unavoidably write a small footprint into memory themselves, which is why the responder documents the exact tool, version, and time so the analyst can account for that footprint later.
Network Detail: Flows Versus Full Capture
Network evidence comes in two grades. NetFlow (and proxy/firewall logs) records metadata — source, destination, port, protocol, byte counts, and timing — but not payload. It is compact, widely retained, and answers "how much data moved where." Full packet capture (PCAP) records the actual bytes, answering "what was sent," but is storage-heavy and is blunted by TLS encryption, which hides payloads even when you have the packets. A common exam scenario gives you a large outbound NetFlow record to a foreign IP and asks what it proves: it proves volume and destination, not the contents.
To recover contents you would need PCAP plus the session keys, or an endpoint artifact.
Log Detail: Centralization and Retention
Local logs are easy for an attacker to clear. A SIEM (Security Information and Event Management platform) forwards events off the host in near-real time, so even if local logs are wiped, the centralized copy survives. Retention policy decides how far back you can look: a 24-hour retention window means events from last week are simply gone, which is a limitation your report must state rather than treat as proof of no activity. Time synchronization via NTP is what lets you align events from the firewall, the endpoint, and the identity provider onto one timeline; without it, clock skew can make a later event appear earlier.
Log Gaps Are Evidence
Investigators must notice missing data. A host that goes silent right after a suspicious process started may have lost connectivity, had its EDR agent killed, or suffered log tampering. A spotless timeline with zero failed logins may simply mean identity logs were retained for only one day and the relevant events aged out.
Common Traps
- Assuming no log means no activity.
- Examining only disk when malware ran almost entirely in memory.
- Treating a DNS lookup as proof a full connection or transfer succeeded.
- Ignoring time-zone and clock-skew differences across log sources.
- Forgetting that NAT, proxies, and shared accounts blur attribution.
- Building a conclusion from one artifact without corroboration.
Which artifact is most likely to show processes that were running at the exact time of capture?
Which artifacts can help determine whether a suspicious attachment executed? Select three.
Select all that apply
A DNS log shows a lookup for a suspicious domain. What is the most defensible interpretation?