Join Us!

Determine the way t...
 
Notifications
Clear all

Determine the way that a file transferred to the PC  

  RSS
khalloud
(@khalloud)
New Member

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Quote
Posted : 09/01/2019 7:30 am
jaclaz
(@jaclaz)
Community Legend

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Which kind of "internet artifact" would you have expected, looked for and failed to find?

I mean, let's say that you run (say) curl
https://curl.haxx.se/
to get a file from the internet.

What artifacts would you expect?

jaclaz

ReplyQuote
Posted : 09/01/2019 10:14 am
khalloud
(@khalloud)
New Member

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

ReplyQuote
Posted : 09/01/2019 11:45 am
athulin
(@athulin)
Community Legend

in my case I found the file in c\user\public\download

Is that directory configured as used for downloads in any software on the examined computer?

Some software add an ADS to show that a file has been downloaded Zone.Identifier. While its presence is not a definite proof of
download, nor its absence proof that it wasn't downloaded, its presence is is still a fairly strong suggestion.

ReplyQuote
Posted : 09/01/2019 12:13 pm
kastajamah
(@kastajamah)
Member

Have you looked at a timeline view and see what else was being accessed around the time the file was created in the download folder?

ReplyQuote
Posted : 09/01/2019 3:25 pm
jaclaz
(@jaclaz)
Community Legend

I mean that I searched in this PC to check if the user use internet
I suppose that file in C\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??

The whole point is that you cannot.

You may find artifacts from a specific "internet related tool", such - as an example - the browser cache, but if the file was downloaded through another tool (such as the given example curl or from "direct access" from within another program you would find nothing.

As Athulin stated, some software may add an ADS (Alternate Data Stream) related to the "zone identifier" to the file (provided that the target filesystem is NTFS, which is not necessarily the case), some reference
https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/

But - besides programs that don't add it - nothing prevents from adding one to an existing file or to strip one from a file that has it.

jaclaz

ReplyQuote
Posted : 09/01/2019 5:02 pm
kastajamah
(@kastajamah)
Member

Is it possible the subject put the file in the Download folder to store it there and did not download it from anywhere? Just another thought.

ReplyQuote
Posted : 09/01/2019 9:41 pm
khalloud
(@khalloud)
New Member

Thank you guys for your explanation

ReplyQuote
Posted : 10/01/2019 6:24 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Look at email attachment interactions during the same time period.

ReplyQuote
Posted : 10/01/2019 3:48 pm
keydet89
(@keydet89)
Community Legend

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??

Create a timeline of system activity. Given the number of possible ways a file could get on the system, it might be a good idea to create a mini-timeline or overlay of just user activity. I did this very recently…created a timeline just from the user's shellbags, RecentDocs, UserAssist and web browser history, and it was very revealing. Showed one user accessing another user's Desktop folder.

Be sure to include Windows Event Log metadata, particularly from the Windows PowerShell Event Log.

As you haven't shared the version of Windows, it's possible that there may be something available in the PowerShell Console History file, so check those for the users on the system. You can narrow this down by determining which user was logged into the system at the time that the file was created.

I'm not sure what you're considering an "internet artifact". For example, you may not have found a WebCacheV01.dat, but did the user access Chrome instead? If so, get a copy of hindsight.

Once you start investigating this, the context will begin to fill in.

ReplyQuote
Posted : 15/01/2019 11:27 am
Bunnysniper
(@bunnysniper)
Active Member

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

Check the NTFS file permissions. Are they inherited or not? One way to find out if the file was copied, moved from another NTFS device or not.

ReplyQuote
Posted : 15/01/2019 1:36 pm
jahearne
(@jahearne)
Junior Member

Look to see if the end user opened up that file!

Link files and Jump List have all kinds of information on the file that it references such as a MachineID. Check out Harlan Carvey's post
http//windowsir.blogspot.com/2011/12/jump-list-analysis.html

ReplyQuote
Posted : 17/01/2019 3:59 am
Share: