DFIR Training Blog



The Forensic Artifact Database

First the bad news

I’m re-doing the database and starting from scratch.

Now the good news

It will be so much better than I originally planned.

The intention of the artifact database

The forensic artifact database is not intended to get into the weeds of forensics. Some aspects may be detailed, but generally, this database is not going to replicate that which has already been done elsewhere and everywhere else.

With that, the database is intended to point you in the right direction to what you are looking for, quickly and easily.  As an example, each category will have topics that will give you a broad overview of the artifact, training resources, software, published resources (books and papers), videos, and other direct links to citations that you can use. It's like Google, but faster, and curated specifically for each artifact. And cross-referenced as needed with other artifacts, operating systems, and forensic software apps.

Another intention is to spark ideas for your analysis. By listing clearly artifacts, the listings may give you ideas on things you may have forgotten or didn’t know, simply by entering search terms for what you need, such as searching for “USB” or “network connections”.

When will it be done?

Good question. The best answer is that it will never be completely done as artifacts will be added as they are discovered and published. It’s a living database. But you probably want to know when it will be done enough to be useful…I suspect it may be a few months before there is enough content in the database to cover the basics of what you need.


If you see something wrong with the content, or have something to suggest to make it better, I am one big ear to listen. That’s my goal: make it easy for you to use and worthwhile.

How much is this going to cost you?

Nothing. Nada. Zip. I’m making for the DFIR community to use. No strings attached. 


Written by :Brett Shavers

{rscomments option="com_rsblog" id="56"}