I usually need to determine if there is evidence that a computer was used to distribute images or videos with sexual content through a web page or social network. The orders I receive don't specify the images or videos and neither indicate the possible web page or social network. For example in cases of child pornography or extortions with the publication of intimate images and videos.
Fist of all I try to find the images or videos. Then I try to determine if it was uploaded. For example I analyzing web activity in conjuction with shellbags and jump list.
I would like to be sure which are the best Windows artifacts to determine if a file was uploaded to a webpage or social network.
Any comment regarding this issue?
I would like to be sure which are the best Windows artifacts to determine if a file was uploaded to a webpage or social network.
That's an odd restriction to your question. Why only Windows?
And to go from there to 'best'…
It seems more likely that it's the application that performs the upload that may leave the traces. That could be Windows-based (registry, logs, etc.), but … it might as well be application-specific traces (web client logs, FTP-logs, P2P logs), … or none at all.
It seems a more practical approach to find out what application capable of performing an 'upload' that are present on a system. All web browsers, all upload clients, all … whatever else there is. Then, for each of them decide if they leave traces, or if they do not. (I don't know of anyone who has done that job for you – and if there is, how well it dates, as things change quickly.)
For example, – there are lots of existing JavaScript libraries out there that provide ready-made functionality. Take a look at plupload to start with (
After a while you may be able to find commonalities. But I hope you're reasonably familiar with web application development. You'll almost certainly need to be.
Don't ignore other client-side scripting languages. JavaScript is probably where the most code is, but other languages may be possible to use in special circumstances. Java used to be possible to use, for example.
Fist of all I try to find the images or videos. Then I try to determine if it was uploaded. For example I analyzing web activity in conjuction with shellbags and jump list.
I would like to be sure which are the best Windows artifacts to determine if a file was uploaded to a webpage or social network.
First off, data exfil of any kind is notoriously difficult to definitively determine without having the appropriate instrumentation and visibility. Determining the answer to this issue, as best as possible, is similar to investigating lateral movement within an infrastructure; you have to take the view of the source and destination systems, and look for artifacts based on the different perspectives.
To determine an upload to social media, you would need to know which platform, and then what the artifact (ie, likely browser activity) would "look like", and how an upload would explicitly differ from viewing those images.
I've had a case like this recently, I hope what i write will be able to come in handy for you, if you haven't figured it out yet. I'm far from the expertise you can find here with other members, but if i can post answers from time to time i'll try to do my best. In this case it was alot of manual work, not point and click programs.
First, I just want to say I might not be using the correct exact terms since english isn't my first language so bear with me.
As you said, first I had to locate pictures which I suspected were linked to the case (here it was a case of procuring -aka pimping-).
There were many pictures of different women in different paths on the computer. Some of them looked like originals (directly from a camera), some of them were modified (with the numbers and the names pasted on with Paint or something).
I looked at the web history with the forensic analysis software I had on hand (IEF, encase, etc). Alot of URLS were pointing to known escort websites.
I then made a search through those URLs in the computer to see ad creation URLS (edit_ad.php, post_ad.php, etc). In your case, it might be simple upload form URLs for pictures depending on the social media.
This hinted me that the user posted on those websites. When doing a keyword search on the computer, i could then see alot of information within the unallocated or random pagefile. When i searched for the edit_ad.php i would see a followup with "?ad=345083459" or something similar. So i took note of all these ads and located them online to download the pictures and compare them with the ones i had on the computer. The names of the pictures were also changed for the most part.
After that, i went on those websites to create accounts for myself, and look at the source code of the URLs where the upload picture form/field was present. I could see a certain pattern and established that when I browsed and selected the picture i wanted to upload, the source code changed and showed the path of the picture i was uploading, including it's original name. So i copied the field preceding the upload path (something like an html code with a precise structure… i am not very knowledgeable in html but you'll notice it if you do some tests.. Let's say you go to upload.photobox.com and you upload a picture from your computer, after you select the picture, click inspect on the small thumbnal with your chrome browser, and you should see something like this <span class="imagename">1u79j8.jpg</span> in the code somewhere. That was the name of my picture i uploaded. It also gives me the resulting url https://
So afterwards, what I did for every one of the pictures, i followed the clues. I would locate the "imagename" upload tag with the name of the picture, corroborate it on the computer itself, then look at the resulting url, and confirm the picture was the same. Since the resulting URL's picture name was often modified, if i had the file with the original filepath as shown on the html code, it would confirm to me that the computer user was the one who uploaded it because each resulting filename was unique therefore it was not possible (or rather unlikely) that another user had the same result from the original picture if everything corroborated..
i'm not sure if i'm .. being clear here hehe.
Anyways, i did many more manipulations (such as extract all ads and files from the online websites. I also made alot of research on the different relevant strings i could find in those html codes that could help me link or locate more pictures, etc)
@Lukamo
Clear, simple, straight to the point, excellent contribution ) , if I may.
Additionally (though said by a non-native English speaker) your English seems just fine to me.
jaclaz
I would like to be sure which are the best Windows artifacts to determine if a file was uploaded to a webpage or social network.
There are a lot of artifacts, but here is AFAIL only one in the standard OS that matches processes to bandwidth usage SRUM. Analyzing the SRUM database is a "must have" in my forensic procedure and i can strongly recommend this article here
In your case, there should be a clear connection between - let`s say - chrome.exe and the used bandwidth, together with a timestamp. This is perfect, if
- prefetch change date
- entry in SRUM
- logged in users from Eventlog
can be correlated together.
From the article"The information is stored in the \Windows\System32\sru\ directory in a file named SRUDB.DAT. The file is in the Windows ESE (Extensible Storage Engine) database format. So the trick is to get the data out and make sense of it."
Handle this database in exactly the same way as if it was a IE/ Edge database to get a clean unmount. You need esentutl in a similar way as it was used in this article
The folder \System32\sru is protected by ACL. Take ownership and adjust the permissions to get access to the edb file.
Your language skills are excellent. Born native english speakers are very tolerant, when it comes to mistakes in grammar or writing. My own comments are full of errors and i do not care about it P
regards,
Robin
I had a similar case. I used Belkasoft Evidence Center with settings to dig up everything, including data carving. After the process finished, I searched for 'GET' and 'POST' strings and the results were straight-forward. Then I filtered for '.jpg', getting all the relevant generated picture names and urls.
Having the generated picture names and the url timestamps, the portal gave every uploads related informations to the LE from their logs.
It would be great if you please guide me regarding "I searched for 'GET' and 'POST' strings and the results were straight-forward." I am using Belkasoft and I carved Chrome data. But when I search for "POST" string no match, I am examining on my own system because I have a case to identify the uploaded images to Google Photo. Does Chrome store http header data?
Regards
Some of the header data (and everything else) is stored in the cache, but that is limited also.
If there is no data, it is end of work.