Determine the way t...
 
Notifications
Clear all

Determine the way that a file transferred to the PC

12 Posts
8 Users
0 Likes
549 Views
khalloud
(@khalloud)
Posts: 6
Active Member
Topic starter
 

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

 
Posted : 09/01/2019 7:30 am
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Which kind of "internet artifact" would you have expected, looked for and failed to find?

I mean, let's say that you run (say) curl
https://curl.haxx.se/
to get a file from the internet.

What artifacts would you expect?

jaclaz

 
Posted : 09/01/2019 10:14 am
khalloud
(@khalloud)
Posts: 6
Active Member
Topic starter
 

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

 
Posted : 09/01/2019 11:45 am
athulin
(@athulin)
Posts: 1141
Noble Member
 

in my case I found the file in c\user\public\download

Is that directory configured as used for downloads in any software on the examined computer?

Some software add an ADS to show that a file has been downloaded Zone.Identifier. While its presence is not a definite proof of
download, nor its absence proof that it wasn't downloaded, its presence is is still a fairly strong suggestion.

 
Posted : 09/01/2019 12:13 pm
kastajamah
(@kastajamah)
Posts: 101
Estimable Member
 

Have you looked at a timeline view and see what else was being accessed around the time the file was created in the download folder?

 
Posted : 09/01/2019 3:25 pm
jaclaz
(@jaclaz)
Posts: 5135
Illustrious Member
 

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

The whole point is that you cannot.

You may find artifacts from a specific "internet related tool", such - as an example - the browser cache, but if the file was downloaded through another tool (such as the given example curl or from "direct access" from within another program you would find nothing.

As Athulin stated, some software may add an ADS (Alternate Data Stream) related to the "zone identifier" to the file (provided that the target filesystem is NTFS, which is not necessarily the case), some reference
https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/

But - besides programs that don't add it - nothing prevents from adding one to an existing file or to strip one from a file that has it.

jaclaz

 
Posted : 09/01/2019 5:02 pm
kastajamah
(@kastajamah)
Posts: 101
Estimable Member
 

Is it possible the subject put the file in the Download folder to store it there and did not download it from anywhere? Just another thought.

 
Posted : 09/01/2019 9:41 pm
khalloud
(@khalloud)
Posts: 6
Active Member
Topic starter
 

Thank you guys for your explanation

 
Posted : 10/01/2019 6:24 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 570
Honorable Member
 

Look at email attachment interactions during the same time period.

 
Posted : 10/01/2019 3:48 pm
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Create a timeline of system activity. Given the number of possible ways a file could get on the system, it might be a good idea to create a mini-timeline or overlay of just user activity. I did this very recently…created a timeline just from the user's shellbags, RecentDocs, UserAssist and web browser history, and it was very revealing. Showed one user accessing another user's Desktop folder.

Be sure to include Windows Event Log metadata, particularly from the Windows PowerShell Event Log.

As you haven't shared the version of Windows, it's possible that there may be something available in the PowerShell Console History file, so check those for the users on the system. You can narrow this down by determining which user was logged into the system at the time that the file was created.

I'm not sure what you're considering an "internet artifact". For example, you may not have found a WebCacheV01.dat, but did the user access Chrome instead? If so, get a copy of hindsight.

Once you start investigating this, the context will begin to fill in.

 
Posted : 15/01/2019 11:27 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

Check the NTFS file permissions. Are they inherited or not? One way to find out if the file was copied, moved from another NTFS device or not.

 
Posted : 15/01/2019 1:36 pm
jahearne
(@jahearne)
Posts: 35
Eminent Member
 

Look to see if the end user opened up that file!

Link files and Jump List have all kinds of information on the file that it references such as a MachineID. Check out Harlan Carvey's post
http//windowsir.blogspot.com/2011/12/jump-list-analysis.html

 
Posted : 17/01/2019 3:59 am
Share:
Share to...