Google Docs - file ...
 
Notifications
Clear all

Google Docs - file exfiltration help

3 Posts
2 Users
0 Likes
587 Views
(@outdoorslover)
Posts: 12
Active Member
Topic starter
 

All,

I'm doing a review of someone's computer using Magnet Forensic's Axiom and Encase 8.04, of a Windows 7 Enterprise. I see a lot of Google Drive activity across multiple days, using Google Chrome as the browser. Looking at the various Jump Lists, LNK Files, and Shellbags, I don't see any evidence of anything. Any suggestions on where else I should look for evidence of file movement?

I used to be very well versed in this sort of stuff, but alas I don't have the opportunity to examine computers as often as I need to, to be able to remember all that I've forgotten.

Thanks!

 
Posted : 18/04/2017 4:08 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Well, since it all go through Chrome, you wont find any file system artifacts.

Only indicators you would see traces in are in the browser, client firewall logs, network traffic (Pcaps) and possibly if you could access the account and do a comparison.

 
Posted : 18/04/2017 5:02 pm
(@outdoorslover)
Posts: 12
Active Member
Topic starter
 

Well, since it all go through Chrome, you wont find any file system artifacts.

Only indicators you would see traces in are in the browser, client firewall logs, network traffic (Pcaps) and possibly if you could access the account and do a comparison.

MDCR,

Yep, that was my fear. I see lots of stuff from the browser, but nothing to indicate which, if any files were uploaded. I was hoping that whatever files had been uploaded had been "touched" (accessed) at the same time, and be able to see them in the $MFT, $DATA or some where.

Thanks.

 
Posted : 18/04/2017 7:07 pm
Share: