Registry Indication...
 
Notifications
Clear all

Registry Indications of data offloading?

6 Posts
5 Users
0 Likes
529 Views
(@daddio)
Posts: 3
New Member
Topic starter
 

Hello Everyone, I am hoping someone can give me some advice on this - I am looking at 2 windows 7 pc's to see if they have offloaded data (to a usb or to the cloud or to a website) and havent worked with the registry very much, but know it will tell me what was or was not done. I've looked in the USBstor, USB and mounteddevices keys but those only seem to show half of the story.
So my question is can anyone advise me what keys I need to combine with these to know if any offloading occurred? Is there a specific network key or internet key that would show it?
Any advice or assistance is greatly greatly appreciated!

 
Posted : 15/04/2017 8:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am looking at 2 windows 7 pc's to see if they have offloaded data (to a usb or to the cloud or to a website)…

I've looked in the USBstor, USB and mounteddevices keys but those only seem to show half of the story.

…can anyone advise me what keys I need to combine with these to know if any offloading occurred? Is there a specific network key or internet key that would show it?
Any advice or assistance is greatly greatly appreciated!

First off, thanks for sharing the version of Windows you're looking at…that makes a pretty significant difference.

So, if you're looking for "data offload", I'm going to share what I would look for if I were looking for data exfil, either with or without the knowledge of the user.

With respect to USB storage devices, in addition to the USBStor key, you should also correlate data from the MountedDevices key (System hive), as well as the EMDMgmt and Portable Devices keys (Software hive). Also be sure to check the DriverFrameworks-UserMode Event Log.

Even if you create a mapping of devices, this doesn't necessarily illustrate the movement of data…for the most part, this is not something that's recorded in the Registry, if at all. However, you can check for indications that such things may have occurred. For example, if you map out the files on the system, and find a recent shortcut or entry in a JumpList for a file of the same name, but found on a USB device, I'd look to mapping/correlating time stamps.

For process execution
Check the user's browser history. If the browser used was IE10+, there are some great tools available for parsing this information. If Chrome, I'd recommend hindsight. Also, don't forget to check the history of the Network and Local Service accounts…if something is running with System-level privileges, you won't find it in a user's profile.

Check the AppCompatCache and AmCache.hve (if there is one) entries that may indicate the execution of suspicious files.

For actual data exfil, check the BITS Client Event Log file for indications of file uploads, and the TaskScheduler Event Log for suspicious Scheduled Tasks.

Check the OBJECTS.DATA file for indications of embedded scripts, as well as CCM_RecentlyUsedApps entries.

 
Posted : 16/04/2017 6:08 pm
(@daddio)
Posts: 3
New Member
Topic starter
 

Thank you so much keydet89! Your response is gratefully appreciated! This is such very good and valuable advice, and I intend to put your suggestions to use immediately!

 
Posted : 17/04/2017 10:25 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also (though not Registry related) don't forget setupapi.dev.log
https://www.magnetforensics.com/computer-forensics/how-to-analyze-usb-device-history-in-windows/

The setupapi log (ROOTWindowsinfsetupapi.dev.log for Windows Vista/7/8)(ROOTWindowssetupapi.log for Windows XP) Searching for the serial number in this file will provide investigators with information on when the device was first connected to the system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being performed by the investigator.

and MTP devices …

jaclaz

 
Posted : 17/04/2017 10:49 pm
(@cults14)
Posts: 367
Reputable Member
 

For actual data exfil, ……………

What is meant by actual data exfil? As opposed to evidence of (let's assume, as it happens) accessing business files on media which is not the property of the organisation which holds the rights to the IP inherent in those files?

Which is a long way round of saying that if a "suspect" can be shown (for example via JumpLists correlated to other artfactes) to be accessing "Top_Secret_M&A_Plans.xlsx" on an external drive not owned by the company, isn't that data exfiltration?

Am just asking as I've not understood for long enough why this wouldn't count as data exfiltration, and at long last decided to ask )

 
Posted : 24/04/2017 9:00 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Daddio,

It would be helpful to know what forensic analysis tools you have at your disposal.

One scenario I see quite often is the following

Former employee creates a folder on their desktop, to which "trade secret" files are copied.

Folder holding trade secrets is then copied to an external USB device.

Folder on desktop is moved to recycle bin, which is then emptied.

In the above scenario, unless the former employee accessed files from the external USB device AFTER copying files to the external USB device, you will not be able to affirmatively state which specific files were copied to the external USB device. This angers many attorneys who will demand to know "exactly what files were taken!!". The simple explanation is that Windows does not need to keep track of files copied to external media so it does not.

So where to look? Obviously look where our colleagues pointed you to earlier in this thread and also possibly

Well TZ Works makes a nice tool which can carve the recycle bin portion of the MFT to recover the file list that was placed in the recycle bin before the recycle bin was emptied. Other tools may do this as well but TZ Works….works.

Internet Evidence Finder can carve the pagefile.sys and hiberfile.sys files to recover accessing of 3rd party email accounts and cloud storage accounts through which exfiltration (stealing) occurred. So, if the former employee signed into their personal Gmail account on the computer you are analyzing, and then attached the trade secret files to an email they then sent to themselves (and could later access from home), then IEF is a great tool to uncover such activity.

On one case I found a log file inside the program application folder of a cloud storage service which listed the files uploaded, dates and times. DropBox has a similar log file, but it is encrypted and one needs the Magnet Forensics DropBox decryptor program.

Look at .ISO files, which can remain if the former employee burned the stolen files to a DVD.

It is also critical to determine the last date of employment and the last date the former employee had physical access to devices you are analyzing so that you can (1) place activities you find in the right context, and (2) focus your efforts first on the last date of employment.

iCloud accounts if the former employee had a company issued iPhone, but was using a personal Apple ID, then exfiltration was made easy for them because they just had to turn in their old iPhone, go to the phone store to buy a new iPhone, and then log into their AppleID - presto they know exfiltrated all of their old employers data.

I just published a Theft of Trade Secrets / Smartphone Forensics Best Practices CLE class with some useful handouts I will send you if you PM me your email address.

I will try to figure out how to upload the class slides and handouts to Forensic Focus if that is possible.

My class talks about the new Defense of Trade Secrets Act and "Inappropriate Misappropriation" and forensic triage steps.

Regards,

Larry

 
Posted : 25/04/2017 2:30 am
Share: