Forensic Lab: Artifact Deep Dives
The Forensic Lab is the technical core of the Hermes Codex. Here, we dissect the traces left by OS operations and user activities to build undeniable evidence timelines.
Windows Execution Artifacts
Section titled “Windows Execution Artifacts” Amcache & RecentFileCache Identifying binary identity and SHA1 hashes.
Shimcache (AppCompatCache) Tracking long-term executable metadata.
Prefetch (.pf) Proving binary execution and timing.
SRUM Track historical network activity, data exfiltration, and process attribution.
User Activity & Navigation
Section titled “User Activity & Navigation” Shellbags Reconstructing folder navigation history.
Jumplists Analyzing application-specific user interactions.
BAM (Background Activity Moderator) Tracking execution across system reboots.
Windows MRU (Most Recently Used) Lists Follow direct user interaction with the graphical interface or file system.