Evidence of attempt...
 
Notifications
Clear all

Evidence of attempt to access Windows shared drive

6 Posts
6 Users
0 Likes
484 Views
(@aclark)
Posts: 1
New Member
Topic starter
 

I need to provide someone attempted to access a shared drive via Windows Explorer. Please note that the share IP address is non-existent so it would never be successful. So far I have checked the TypedURLs reg key, the RunMRU reg key, the IE history, and Windows event logs. I have found nothing and am wondering where the evidence is on a Windows 7 Enterprise system for failed shared drive attempts. Thanks in advance for any help.

 
Posted : 06/11/2016 5:51 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Shellbags?

http//www.4n6k.com/2013/12/shellbags-forensics-addressing.html

jaclaz

 
Posted : 06/11/2016 4:29 pm
(@cults14)
Posts: 367
Reputable Member
 

Do you know why the attempt failed?

 
Posted : 15/11/2016 9:29 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

I know of no artifact - if the connection attempt would always fail.

To be certain I would do a test and snapshot your system.

Depending on your logging, you may find activity in your event logs.

 
Posted : 17/11/2016 2:45 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I know of no artifact - if the connection attempt would always fail.

To be certain I would do a test and snapshot your system.

Depending on your logging, you may find activity in your event logs.

This is interesting…I'm curious as to what level of logging would need to be in place, and then what evidence would there be of the attempt?

Thanks.

 
Posted : 03/12/2016 12:50 am
(@the-game)
Posts: 22
Eminent Member
 

Hi Folks,

Just a thought, event log or may be if there is some kind of monitoring for the network log.
If its only one attempt them it wont be flagged by SIEM but if there is continuous request for something which is not present must get flagged.

 
Posted : 05/12/2016 8:00 pm
Share: