USER GUIDE

CONTENTS
ABOUT ................................................................................................................................................. 1

LAUNCH ARTIFAST ............................................................................................................................. 2

System Requirements ........................................................................................................................ 2
Start on Windows .............................................................................................................................. 2
Start on MacOS/Linux ........................................................................................................................ 3

ARTIFAST CASES................................................................................................................................. 4
Create a New Case ............................................................................................................................. 4
Filling Out Case Information and Add Data Source ............................................................................................... 4
Opening an Existing Case .................................................................................................................. 12
Quick Run ........................................................................................................................................ 12
Case Information ............................................................................................................................. 14
Log Viewer ....................................................................................................................................... 15

WORKSPACE .................................................................................................................................... 16
Evidence Tree Filter .......................................................................................................................... 16
Views............................................................................................................................................... 19
Timeline View....................................................................................................................................................... 20
Artifact View ........................................................................................................................................................ 20
File View ............................................................................................................................................................... 21
File Filter .............................................................................................................................................................. 22
File Categories ...................................................................................................................................................... 23
Other View Actions .............................................................................................................................................. 24
Timeline Filtering Panel .................................................................................................................... 28
Basic Filter ............................................................................................................................................................ 29
TimeLine Filter ..................................................................................................................................................... 31
Field Value Filter .................................................................................................................................................. 32
Custom Filter ........................................................................................................................................................ 33
Load Filter From File ............................................................................................................................................ 34
Reporting......................................................................................................................................... 34

DQL.................................................................................................................................................... 36
Filter Types ...................................................................................................................................... 36
Text Filter ............................................................................................................................................................. 36
Date Filter ............................................................................................................................................................ 36
Number Filter ....................................................................................................................................................... 37
Timeline DQL Filter........................................................................................................................... 38
Bookmarks ........................................................................................................................................................... 38
Notes .................................................................................................................................................................... 38
Date ...................................................................................................................................................................... 38
OS Name .............................................................................................................................................................. 39

CONTENTS
ABOUT ................................................................................................................................................. 14

LAUNCH ARTIFAST ............................................................................................................................. 25

System Requirements ........................................................................................................................ 25
Start on Windows .............................................................................................................................. 25
Start on MacOS/Linux ........................................................................................................................ 36

ARTIFAST CASES................................................................................................................................. 47
Create a New Case ............................................................................................................................. 47
Filling Out Case Information and Add Data Source ............................................................................................... 47
Opening an Existing Case .................................................................................................................. 1215
Quick Run ........................................................................................................................................ 1215
Case Information ............................................................................................................................. 1417
Log Viewer ....................................................................................................................................... 1518

WORKSPACE .................................................................................................................................... 1619

Evidence Tree Filter .......................................................................................................................... 1619
Views............................................................................................................................................... 1922
Timeline View....................................................................................................................................................... 2023
Artifact View ........................................................................................................................................................ 2023
File View ............................................................................................................................................................... 2124
File Filter .............................................................................................................................................................. 2225
File Categories ...................................................................................................................................................... 2326
Other View Actions .............................................................................................................................................. 2427
Timeline Filtering Panel .................................................................................................................... 2831
Basic Filter ............................................................................................................................................................ 2932
TimeLine Filter ..................................................................................................................................................... 3134
Field Value Filter .................................................................................................................................................. 3235
Custom Filter ........................................................................................................................................................ 3336
Load Filter From File ............................................................................................................................................ 3437
Reporting......................................................................................................................................... 3437

DQL.................................................................................................................................................... 3639
Filter Types ...................................................................................................................................... 3639
Text Filter ............................................................................................................................................................. 3639
Date Filter ............................................................................................................................................................ 3639
Number Filter ....................................................................................................................................................... 3740
Timeline DQL Filter........................................................................................................................... 3841
Bookmarks ........................................................................................................................................................... 3841
Notes .................................................................................................................................................................... 3841
Date ...................................................................................................................................................................... 3841
OS Name .............................................................................................................................................................. 3942

ArtiFast User Guide

 Category Name .................................................................................................................................................... 39 42
Artifact Name ....................................................................................................................................................... 40 43
Description ........................................................................................................................................................... 40 43
Fields .................................................................................................................................................................... 40 43
Date Description .................................................................................................................................................. 41 44
Inner Fields ........................................................................................................................................................... 41 44

OTHER............................................................................................................................................... 43 46
Set Language.................................................................................................................................... 43 46
Style ................................................................................................................................................ 43 46

ArtiFast User Guide

2
ABOUT
ArtiFast is designed to speed up, organize and ease the digital investigation process. It is the latest
solution from Forensafe Software Solutions which can take disks, image files and folders as input to
recover artifacts. Digital evidence retrieved from different file formats such as plaintext, XML, binary,
Registry etc., will go through parsing where forensically valuable time-centric data is extracted. Not all
artifacts are the same, thus parsed entries will go through normalization which will help results to be
organized in a clear and precise way. Extracted data is saved and sorted chronologically in a database.
ArtiFast’s effective user interface provides efficient searching, filtering, coloring and reporting to digital
forensics analysts.

1
4 ArtiFast User Guide
LAUNCH ARTIFAST
System Requirements

ITEM REQUIREMENT

Operating System Windows, MacOS, Linux

Software Framework Java SE Runtime Environment 8, 64 bits

Memory Minimum 4GB or higher

Before you launch the software make sure the license file ArtiFast.lic is in the same folder as your
executable/jar file. To change your license, click Change License at the bottom of the window and navigate
to the new license file path.

Start on Windows

To launch ArtiFast on windows, simply run the ArtiFast.exe file

5 ArtiFast User Guide

Start on MacOS/Linux

For these operating systems, we provide a jar file that can be run through the terminal/command prompt.
Open terminal/command prompt. Change the directory to the bin folder where the jar file is located. Type
the following command sudo java -jar [JARFILENAME].jar. This will display the menu. To open the GUI
append ui to the end of the command.

6 ArtiFast User Guide

ARTIFAST CASES
Create a New Case

To create a new case, click the Case menu on the top left, then New.

Filling Out Case Information and Add Data Source

Fill out the information for your case such as the case name, number and description. Select the directory
where case results will be stored. Specifying a temporary directory is optional, it will be used to store files
extracted from images. At the bottom click the “Data Source” field to add your evidence.

7 ArtiFast User Guide

ArtiFast supports parsing of various evidence types. Choose to point to a folder containing the evidence
or directly to an image file.

Fill out data source information: Specify some information on your evidence source such as name and
evidence path. The Time Zone gives you the option to select the time zone you want the evidence
presented in, on your workspace.
5

8 ArtiFast User Guide

You can choose the options to calculate the MD5 and SHA-1 hashes of your evidence. These will be stored
later in the results database. Add a list of White/Black hashes for ArtiFast to work with in identifying
suspicious or malicious files. Ticking the Detect Encrypted Files option will calculate the entropy of each
file in the supplied evidence to determine if it is encrypted or not. Choose whether to export files by their
extensions.

9 ArtiFast User Guide

Platform Selection: Select the operating system type you are working with; this will automatically choose
some artifacts associated with the platform. You can choose multiple operating system types at once or
choose all.

Select Artifact: ArtiFast supports over 1500+ artifacts from Windows, OSX, Android and IOS systems. You
can choose to parse all of them, click the small box positioned before the input field to do so.

10 ArtiFast User Guide

Utilize the search bar to find and select specific artifacts by name.

11 ArtiFast User Guide

Search by category: Select from the drop-down menu and ArtiFast will display a list of artifacts that
belong to the selected category.

Add Passwords for Some Encrypted Files: ArtiFast can decrypt the evidence from Signal application for
both IOS and Android. Add the keyStore(Android) and keychain(IOS) passwords to do so. iPhone backups
can also be decrypted, simply add the Manifest.db password in the given field shown below.

12 ArtiFast User Guide

File Artifacts Selection: You can choose to select the specific file types whose artifacts you want parsed.

Once you are done selecting the artifacts you want parsed, click the Run button at the bottom right. While
processing ArtiFast will display the amount of time taken by the major tasks.

10

13 ArtiFast User Guide

11

14 ArtiFast User Guide

Opening an Existing Case

You can open an existing ArtiFast case by clicking on Case/Open and inputting or navigating to the case
file path. Click the load case button and the case will be loaded to your workspace.

Quick Run

To parse and analyze your artifacts without having to go through the process of filling out case
information, click the Case menu then Quick Run option. Note that all results related to the case are stored
temporarily and will be lost once you quit the ArtiFast software.

Start by choosing to load the evidence source from a folder or image.

12

15 ArtiFast User Guide

You can opt to parse all artifacts or select specific ones to parse.

Tick the box above if you would like to export the files within the evidence source by their extensions.
Proceed to run.

After parsing is complete, click OK to display the results in the workspace

13

16 ArtiFast User Guide

Case Information

Click the Case at the top left corner of the window then select the Case Information option to view case
details such as evidence location, case examiner name etc. You can also view the case statistics which
are the time it took to process the case, how much time hashing, encryption analysis and so on took.

14

17 ArtiFast User Guide

Log Viewer

ArtiFast provides detailed logs that can be used to investigate the reason behind any errors that may have
occurred during an action. Click the Help menu then Log viewer.

15

18 ArtiFast User Guide

WORKSPACE
Evidence Tree Filter

This panel is used to display the entries that match the set criteria. To do so, tick the check box beside
each artifact name. You can also use the search box to search and/or select any parsed artifacts you would
like to view in your workspace.

By right clicking on the panel, you can view actions menu. Some actions are further explained below.

16

19 ArtiFast User Guide

Preview: view and analyze the selected artifact on an external window separate from the main workspace.

Focus: view and analyze the selected artifact in Artifact view.

17

20 ArtiFast User Guide

To New Workspace: view and analyze selected artifacts in a separate workspace.

ArtiFast allows you to create multiple workspaces from the same case. To view more options regarding
workspace creation, right click on the workspace name (highlighted in the image above).

18

21 ArtiFast User Guide

Create a Blank workspace which will contain the same entries as the original or click on the Using a
Keyword option which will ask you to enter a keyword ArtiFast will use to gather all related entries in your
case to create a new workspace.

Create an exact copy of your workspace with the Duplicate option. This will enable you to preserve the
state of your work in one while making more changes to the other.

Views

Parsed results can be viewed together sorted into a single timeline or as single artifacts.

19

22 ArtiFast User Guide

Timeline View

Timeline view sorts the parsed results (the ticked) into a single timeline. You can sort the time in ascending
or descending order by clicking on the Time column head. Click on a name in the “Artifact Name” column
to navigate to a view containing all entries belonging to that specific artifact.

Artifact View

Artifact view displays the parsed results artifact by artifact, you can use the highlighted button shown
below to navigate through the selected artifacts.

20

23 ArtiFast User Guide

File View

The View can be used to navigate through all the folders within the evidence source you provided. You can
also see the entropy of each file and the calculated hash values

By right clicking on a file, you can view the file as text, image, audio, video, pdf, zip, or SQLite database.
Depending on the type, the file will open in the window in the rightmost side of the screen. You can extract
and save these files. Right click on the file, select Export Selected File option, and choose the path to store
the file.

Files can be filtered using the same rules as the ones defined for your artifact entries. Click the Only
Filtered Items option to apply the filter or use the filter text field provided as shown below.
21

24 ArtiFast User Guide

File Filter

The field can be used to filter files based on their names, properties and for some, their contents. Different
filters are separated using a space character, one filter of each type is supported. An example of how to
use the filter:

Search File Using Name:

• name:=places.db: The file name is "places.db" (case-sensitive).
• name:places: The file name contains the word "places" (case-insensitive).
• name:r/[0-9].*(jpg|gif): The file name matches the regular expression "[0-9].*(jpg|gif|png)" (file names
start with a number digit and ends with jpg or gif).

Search File Using Size:

• size:=10kb: The file size is exactly 10kB (equals 10,240 bytes).
• size:!=10kb: The file size is not 10KB (not 10,240 bytes).
• size:>1mb: The file size is greater than 1MB.
• size:>=1mb: The file size equals or greater than 1MB.
• size:<1mb: The file size is less than 1MB.
• size:<=1mb: The file size equals or less than 1MB.
• size:100MB~1gb: The file size is between 100MB and 1GB (both 100MB and 1GB are included).

22

25 ArtiFast User Guide

Search File Using Path:
• path:=/vol1: The file path is "/vol1" (case-sensitive).
• path:windows/system32: The file path contains "windows/system32" (case-insensitive).
• path:r/.*/My\sPictures/.*jpg: The file path matches the regular expression ".*/My\sPictures/.*jpg"
(path of jpg files under any user's Pictures directory).

Search File Using MD5:

• md5:=211C77B4F519BF78C0C0CACA98D8E0C2: The file's MD5 hash is
"211C77B4F519BF78C0C0CACA98D8E0C2".

Search File Using SHA-1:

• sha1:=B7B0E0DBB8D4E512089C02588D0B430E8F70EFBE: The file's SHA-1 hash is
"B7B0E0DBB8D4E512089C02588D0B430E8F70EFBE".

Search File Using Deleted Status:

• deleted:yes or deleted:true: The file is deleted.
• deleted:no or deleted:false: The file is not deleted.

File Categories

Displays all files within the evidence source sorted into categories based on their types. You can carry out
the same actions as the files view.

23

26 ArtiFast User Guide

Other View Actions

You can perform multiple other actions in your workspace such as:

Rearranging columns: Drag and drop columns from their headers to different positions within the
workspace.

Add and remove columns: Click on the + sign to view list of columns where you can choose to add and
remove any column of choice.

24

27 ArtiFast User Guide

View entry in detail: Each entry is displayed in detail on the rightmost section of the screen. There are 3
sections which are listed below.

Timeline fields section displays the artifact entry properties. Fields include the artifact name, the category
it belongs to, the data source and a date field accompanied with its description if available.

Inner fields section displays the main entry properties parsed from the evidence source.

Field Contents will display any selected field, making it easier to read.

25

28 ArtiFast User Guide

Artifact coloring: You can highlight specific entries of your choice based on the file type. Right click any
cell to reveal a menu and click the artifact coloring option.

Select the file type you want to filter, choose the font, and background you would like the entries in, click
Apply then Save. You can clear all colorings, load your preferred colors from file and save the colors to a
local file for later use.

26

29 ArtiFast User Guide

Quick Time Filtering: selecting one of the presented options will filter the entries accordingly, this filter
can be cleared with the Clear quick time filter option.

27

30 ArtiFast User Guide

Bookmark Filtering: view and work with only items that have been bookmarked in your workspace.

Hide Timeless Entries: Hide any entry without a date/time in the main time field.

Extract Source: extract the source file of a specific artifact entry. Right click on the entry and select the
Extract source option. Specify the path to save the extracted file.

View Source: this option will take you to the file view where the file or folder of the selected artifact entry
was parsed from can be accessed.

Timeline Filtering Panel

ArtiFast offers an easy to use filtering panel that can ease the search for important data within the parsed
results. Select the artifacts you would like to work with in the evidence tree filter, you can quickly search
through the entries with the search bar above the workspace or for a more detailed search click on the
timeline filtering panel button. You can add multiple filters, edit, and remove pre-existing filters

28

31 ArtiFast User Guide

Click the + button to display the filter type options.

Basic Filter

Start by selecting how you want ArtiFast to carry out its search. Based on the case, category, evidence,
OS or artifact.

29

32 ArtiFast User Guide

Case/Evidence: this will return the results where the case/evidence is equal to or not equal to the selected
case/evidence.

Category/Artifact/OS: a list of options based on the selected option will be displayed e.g the category
option will give you a list that you can choose from such as Antivirus, Cloud, Emails etc. tick the ones you
would like to filter.

Select the condition you would like ArtiFast to apply. starts with, ends with, contains, is like, is not like
conditions require a string. Equals, Not equals will list the fields based on your initial choice in the first
drop down menu which you can tick.

30

33 ArtiFast User Guide

TimeLine Filter

This filters the details within the artifact entry. Choose the column you want the filter to search through
and select the condition to apply.

The date option can be valuable in retrieving parsed data of the evidence based on the date and time of
occurrence.

31

34 ArtiFast User Guide

Field Value Filter

Filter your result entries based on the selected field within the selected artifact or data source type.

Choose from the drop-down menu.

The fields from that specific artifact will be displayed, select your field of choice, then proceed to choose
the condition you would like to apply.

32

35 ArtiFast User Guide

Custom Filter

The feature uses Doctrine query language (DQL). Input your query in the filter text field and click apply to
see the results

33

36 ArtiFast User Guide

Load Filter From File

Create a dictionary with each item in a single line and save it as a text file. Click the Options button at the
top right corner of the window and select the Load From File option. Navigate to the location of your
dictionary and open.

Reporting

In ArtiFast, you can generate a report which will include the actions you have carried out, such as the
information filled before running the case, the filtered data etc.

34

37 ArtiFast User Guide

Scope: choose to have your report generated in timeline or Artifact view. In timeline a single report
containing selected artifacts in a sorted timeline will be generated. In Artifact view a different report is
generated for each selected artifact.

Language: ArtiFast supports generating case reports in English

Type: ArtiFast supports 12 report types.

Location: select where the generated report will be stored.

Click Generate.

35

38 ArtiFast User Guide

DQL
Filter Types
A DQL filter can be one of three types, text, date, or number. Different filters can be nested using the
keyword AND or OR.

Text Filter

Text filters are used to filter fields with text date type. Text filter values should be inserted between
single quote marks. Text filter operators are:

• EQUAL =
• NOT EQUAL !=
• LIKE LIKE
• NOT LIKE NOT LIKE
• REGULAR EXPRESSION REGEXP

Examples:

xyz = ‘Hello’

xyz LIKE ‘%downloads%’

Date Filter

Date filters are used to filter fields with the date data type. Date filter values should start with the letter
d and inserted between single quote marks: d’value’ . Date filter operators are:

• BEFORE <
• BEFORE OR EQUAL <=
• EQUAL =
• NOT EQUAL !=
• AFTER >
• AFTER OR EQUAL >=
• BETWEEN BETWEEN
• NOT BETWEEN NOT BETWEEN

Dates can be written in four different forms:

• Date Only yyyy-MM-dd

36

39 ArtiFast User Guide

 • Date, hours, and minutes yyyy-MM-dd HH:mm
• Date and time yyyy-MM-dd HH:mm:ss
• Date and time with milliseconds yyyy-MM-dd HH:mm:ss.SSS

Examples:

date = d’2022-01-01’

date > d’2022-01-07 03:14:15’

date BETWEEN d’2020-01-01’ AND d’2022-01-01’

Number Filter

Number filters are used to filter fields with number data type. Number filter operators are:

• LESS THAN <

• LESS THAN OR EQUAL <=
• EQUAL =
• NOT EQUAL !=
• GREATER THAN >
• GREATER THAN OR EQUAL >=
• BETWEEN BETWEEN
• NOT BETWEEN NOT BETWEEN

Examples:

xyz != 42

xyz <= 314

xyz BETWEEN 42 ANd 314

37

40 ArtiFast User Guide

Timeline DQL Filter

Bookmarks

Type: number

Keyword: bookmark

Bookmarks are given values between 0 and 7 depending on the importance. Examples:

All Bookmarked Entries:

bookmark != 0

Level 7 Bookmarks Only:

bookmark = 7

Notes

Type: text

Keyword: note

Examples:

All Notes:

note != ''

Note Like:

note LIKE ‘%important%’

Date

Type: date

Keyword: date

This filter is applied on all timeline entries using their default date fields. Examples:

38

41 ArtiFast User Guide

Date Equals:

date = d’2020-01-01 22:10:00’

Date After:

date > d’2020-01-01 22:10’

Date Before:

date > d’2020-01-01 22:10:00’

Date Doesn’t Equal:

date != d’2020-01-01 22:10:00.555’

OS Name

Type: text

Keyword: “os name”

Examples:

Android OS:

“os name” = ’Android’

All Except Windows:

“os name” != ‘Windows’

Category Name

Type: text

Keyword: “category name”

Examples:

Cloud Category:

“category name” = ’Cloud’

39

42 ArtiFast User Guide

All Except Web Activity:

“category name” != ‘Web Activity’

Artifact Name

Type: text

Keyword: “artifact name”

Examples:

All iOS LINE Artifacts:

“artifact name” LIKE ’iOS LINE%’

Only Prefetch Artifact:

"artifact name" = 'Prefetch'

Description

Type: text

Keyword: description

This filter can be used to filter timeline entries from all artifacts based on the ‘description’ column.
Examples:

Description LIKE:

description LIKE '%john%'

Description NOT LIKE:

description NOT LIKE '%doe%'

Fields

Type: text

Keyword: fields

This filter can be used to filter timeline entries from all artifacts based on the ‘fields’ column. Examples:

40

43 ArtiFast User Guide

Fields LIKE:

fields LIKE '%google.com%'

Fields NOT LIKE:

fields NOT LIKE '%dropbox%'

Date Description

Type: text

Keyword: date_escription

This filter can be used to filter timeline entries from all artifacts based on their date description.
Examples:

Date Description LIKE:

date_description LIKE '%last update%'

Date Description Matches a Regular Expression:

date_description REGEXP 'Last.*Time'

Inner Fields

Type: Depends on the field

Keyword: #”field_name”

This filter can be used to filter timeline entries from all artifacts based on a specific field value. Filter type
can be any of the types mentioned earlier based on the field type. A # should be used at the beginning
and the field name should be inserted between double quotations. Examples:

URL LIKE (Text Type):

#"URL" LIKE '%youtube.com%'

File Size (Number Type):

#"File Size" > 1024

41

44 ArtiFast User Guide

Download Start Date (Date Type):

#"Download Start Date" < d’2021-09-03 00:00’

42

45 ArtiFast User Guide

OTHER
Set Language

By default, ArtiFast language is set to English you can choose to set it to German by clicking Settings then
Set Language.

Style

Change the background color of ArtiFast by clicking on Settings then Style, a list of available color options
will be displayed. Select your preferred option.

43

46 ArtiFast User Guide