±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 5
New Yesterday: 9
Overall: 27212
Visitors: 66

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

where is the downloaded pdf file?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 9:17 am

I am trying to determine where the pdf file is that I see downloaded by a user by viewing their IE history. Log shows: c:\users\<userprofile>\AppData\Local\Microsoft\Windows\TemporaryInternetFiles\Low\Content.IE5\<IECreatedTempFolder>\<nameoffile>.pdf

I used a forensic tool to search for this specific file and ntuser.dat shows the above, however I cannot find the actual file. I searched registry keys for MRU, UserAssist, etc entries but nothing found. So what happened? Was the user able to open the file and was malware executed?  

digitalcoroner
Member
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 9:33 am

- digitalcoroner
So what happened? Was the user able to open the file and was malware executed?

It is possible that it was a self-deleting (malware) file.

What do you mean with:
however I cannot find the actual file.

How exactly were you looking for it?
(with which tools, exactly how)

It seems like you were looking for traces of it in logs and Registry, but what about the actual filesystem?


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 9:55 am

Search was performed using xways (keywords were the malicious domain and pdf file). Xways searches everything (filesystem, etc.).  

digitalcoroner
Member
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 10:05 am

- digitalcoroner
Search was performed using xways (keywords were the malicious domain and pdf file). Xways searches everything (filesystem, etc.).

Then, try recovering each and every .pdf file in the filesystem, the particular file could have been renamed, moved and what not.

If the file was downloaded and the internet source address is still available, download a copy of it and use it's contents to get new "keywords" for a new search on the filesystem.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 10:20 am

I did try to go to the site but its no longer available.

Thanks.  

digitalcoroner
Member
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Wed Dec 05, 2012 2:09 pm

Have you searched for active and deleted link files, evidence of local file accesses in Internet History (file:///) entries, as well as Registry MRUs to see if there are any other traces of the file?

I see that you have posted that the file is listed as being located in Temporary Internet Files, but could it be possible that the file was never cached to TIF, and maybe only viewed?? It would seem that if the file is actually listed as a file in TIF that it would be cached to disk, but maybe that isn't an absolute rule and some testing may be in order to determine this.

It could also have been downloaded, later deleted, and then overwritten (either by pure happenstance or purposefully with a file wiping tool that also cleans up MFT entries).

Just a couple of thoughts to help.

Tim Moniot  

timbo4664
Newbie
 
 
  

Re: where is the downloaded pdf file?

Post Posted: Thu Dec 06, 2012 5:03 am

Yes, I believe it may have only been viewed. If it were cached would it still be located in TIF? What setting determines if a file is cached (kept) or not? The folder the pdf file was downloaded to in TIF is still there and contains other files, but this specific pdf file is not there.

I did look for link files, UserAssist, MRU, etc. and no indication of file being opened. I know that some malware methodologies involve deleting downloaded fiiles after the malware was dropped. Perhaps this pdf contained script to download malware, but I don't see any indicators that malware was dropped.

Thank you.  

digitalcoroner
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1