ArtifactExtractor – Extract common Windows Artifacts

Usually after any attack there will be some artifacts that allows security professional to identify the root cause of an incident. It will be possible to use specific utilities and technique such as extracting cookies or analyzing the browsing history or dumping process to detect a malware or an exploit. If you are looking to extract artifacts from windows image you can use ArtifactExtractor.

ArtifactExtractor is a script that extracts common Windows artifacts from source images and VSCs. Artifacts in VSCs will be scanned and verified using a list of hash and compared with VSC/image copy this operation is similar to base image. The base image will allow the user to have what was changed compare to initial installation.

ArtifactExtractor - Extract common Windows Artifacts

ArtifactExtractor – Extract common Windows Artifacts

Some of the supported artifact with this tool:

  1. Registry hives
  2. Event logs
  3. Powershell command history
  4. Timeline activity history
  5. System resource usage monitor
  6. System center configuration manager software metering
  7. Backup registry hives
  8. Setupapi log
  9. Users IE history
  10. Users recycle bin files
  11. NTFS logfile

The list is long and it will be important to create an image for the compromised machine rather than executing the check on live system. Running the forensics on live system may affect file time stamps, registry keys and memory.

You can read more and download the tool over here:

Notify of
Inline Feedbacks
View all comments