Determine the way that a file transferred to the PC

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Which kind of "internet artifact" would you have expected, looked for and failed to find?

I mean, let's say that you run (say) curl
https://curl.haxx.se/
to get a file from the internet.

What artifacts would you expect?

jaclaz

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

in my case I found the file in c\user\public\download

Is that directory configured as used for downloads in any software on the examined computer?

Some software add an ADS to show that a file has been downloaded Zone.Identifier. While its presence is not a definite proof of
download, nor its absence proof that it wasn't downloaded, its presence is is still a fairly strong suggestion.

Have you looked at a timeline view and see what else was being accessed around the time the file was created in the download folder?

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

The whole point is that you cannot.

You may find artifacts from a specific "internet related tool", such - as an example - the browser cache, but if the file was downloaded through another tool (such as the given example curl or from "direct access" from within another program you would find nothing.

As Athulin stated, some software may add an ADS (Alternate Data Stream) related to the "zone identifier" to the file (provided that the target filesystem is NTFS, which is not necessarily the case), some reference
https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/

But - besides programs that don't add it - nothing prevents from adding one to an existing file or to strip one from a file that has it.

jaclaz

Is it possible the subject put the file in the Download folder to store it there and did not download it from anywhere? Just another thought.

Thank you guys for your explanation

Look at email attachment interactions during the same time period.

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Create a timeline of system activity. Given the number of possible ways a file could get on the system, it might be a good idea to create a mini-timeline or overlay of just user activity. I did this very recently…created a timeline just from the user's shellbags, RecentDocs, UserAssist and web browser history, and it was very revealing. Showed one user accessing another user's Desktop folder.

Be sure to include Windows Event Log metadata, particularly from the Windows PowerShell Event Log.

As you haven't shared the version of Windows, it's possible that there may be something available in the PowerShell Console History file, so check those for the users on the system. You can narrow this down by determining which user was logged into the system at the time that the file was created.

I'm not sure what you're considering an "internet artifact". For example, you may not have found a WebCacheV01.dat, but did the user access Chrome instead? If so, get a copy of hindsight.

Once you start investigating this, the context will begin to fill in.