In a digital forensic examination, identifying and collecting general information about the system(s) under investigation is essential. One of the basic information to identify during an examination is the device or computer name. In Windows systems, the computer name is maintained in the System hive within the ComputerName key.
During an examination, it is important to include the computer name as part of the overall examination documentation. This information is particularly important when examining multiple systems as it can help in tracking and correlating system(s) under investigation.
Computer Name artifact is stored within the SYSTEM hive at SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
The ComputerName key contains two subkeys, ActiveComputerName and ComputerName. Both keys usually store the
same value (computer name). However, the difference between these two keys can be observed when changing the
name of the computer from the control panel. The new name will be stored in the ComputerName key whereas the
ActiveComputername key will contain the old name. After rebooting the computer, ActiveComputerName value
will be updated to the new name as well. Thus, both keys will contain the new name.
This section discusses how to use ArtiFast Windows to analyze Computer Name artifact from Windows
machines and what kind of digital forensics insight we can gain from the artifact.
After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select Computer Name artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of Computer Name artifact in ArtiFast Windows.
Computer Name Artifact
For more information or suggestions please contact: email@example.com