UMGC DFCS 605 Unit 4 - Lab Metadata and File Artifacts During digital forensic investigations, it is frequently necessary to recover multiple artifacts surrounding an event to tell a more comprehensive story. These artifacts may be maintained by the file system, by the operating system, and by applications. NTFS is the file system created by Microsoft to work with Windows. Within NTFS' Master File Table, there is metadata describing the files stored on the system including but not limited to the file's name, timestamps, file ownership, and DOS attributes. The Windows operating system stores artifacts in a number of locations including within directories and the Windows Registry. The Registry contains information that Windows continually references during its operation, such as profiles for each user, the applications installed on the computer and the types of documents that each can create, property sheet settings for folders and application icons, what hardware exists on the system, and the ports that are being used. Examining the Master File Table, Windows Registry, and various directories will reveal relevant artifacts during a forensic examination. After recovering the artifacts, the digital forensic examiner will need to interpret the findings and explain their relation and significance. This is