The Legal Review series answers questions often posed about evidence with high-level descriptions of forensic artifacts.
What programs were run on the machine? This is a common question that is relevant in most investigations. Application execution gives insight into the normal usage of a particular computer. Just as importantly, examining forensic artifacts associated with application usage can also reveal abnormal behavior. Knowing what a user did regularly or even immediately leading up to their departure from a company can be telling. Did they use a wiping utility to cover their tracks? Did they use cloud software to extract intellectual property? For our purposes, we will discuss this in the context of Windows operating systems and the prefetch and userassist artifacts.