One is Silver and the other Gold

Working cases the last week an old song that we sang as a kid at summer camp has been on my mind. 

The lyrics were something like this:

              Make new friends, but keep the old
              One is silver and the other gold

This same sentiment should be applied to the forensic world as well. Rephrasing to:

              Find new artifacts, but keep the old
              One is silver and the other gold

The recent cases I’ve worked have included new mobile tech we all need to know and learn. The thing is, it almost always also includes PCs as well. Many times it also includes some kind of P2P program from Ares and eMule to BitTorrent. Without fail, I continue to lean on the basic forensic knowledge I learned all those years ago from my first forensic training course in 2002.

Basic metadata like OS file dates/times cannot be properly interpreted without knowing the version of Windows running on the system. (i.e. Last Accessed post Windows XP) Foundational information like this gathered from the Windows Registry is paramount.  Just about every forensic tool on the market can parse and produce this information. The important thing to remember, is that as forensic analysts we use this type of Gold artifact to make sure our conclusions are correct and have the proper foundation.

We’ve all learned a lot about Shell Bags and Jump Lists. These are fantastic new resources to use during investigations. I would consider these the Silver artifacts that are so important in our industry to continue to learn about as systems change and evolve. What we don’t want to forget are the Gold artifacts that can be used to verify our findings. A great example that’s been around for years is the Internet Explorer (IE) history. Remember that IE tracks file and folder browsing as part of its history database. Even in Windows 10, filtering for “file:///” can give you not only files and folders opened, but also last accessed dates/times and number of times viewed. All while giving this information per user on the system. Just another Gold artifact I learned many years ago that continues to provide me great information.

It's important to keep in mind that Silver is also rare and desired. The sharing of new information and artifacts MUST continue and is VERY valuable to the community. Please keep that information coming! For all of us, new and veteran, it’s important not to forget the Gold artifacts that can be the foundation that you build your case on. When writing reports and explaining your findings, it’s important to educate your audience on these foundational artifacts and how they verify the more ancillary data that all the new scripts and tools provide.

Keep learning, keep sharing and go get that data!