1.5. Information Artifact Types

Cyber Triage organizes data into Information Artifacts, which are a higher-level concept than something like “Prefetch”. We put “Prefetch” artifacts under the “Process” information artifact because it represents that a process ran.

You’ll see references to the following information artifacts in the this manual.

• Users: Represents activity around user accounts

  • Accounts: What accounts existed on the host

  • Inbound Logons: Local and remote logins into the host

  • Outbound Logons: Hosts that the local user logged into from this host

  • Web Artifacts: Web browser activity from the users and downloads

  • Data Accessed: Files and documents opened by the user

• Processes: Represents activity around processes

  • Triggered Tasks: A configuration that will launch a process based on some trigger. Examples include RunOnce key, scheduled tasks, BITSJobs, etc.

  • Process: Evidence that a process ran. Either at the time of collection or from historical data like Prefetch or audit logs.

  • Active Network Connections: Network connections from a process to another host.

  • Listening Ports: Network ports that were opened by a process and are waiting for a connection.

• System Confirmation: Represents settings of the OS

  • OS Config Settings: Various settings of the OS that could impact audit logs or assisted in the attack.

  • Attached Devices: Shows what external devices were attached, such as USB drives.

More details can be found here