Evidence of attempt...
 
Notifications
Clear all

Evidence of attempt to access Windows shared drive

6 Posts
6 Users
0 Reactions
649 Views
(@aclark)
New Member
Joined: 9 years ago
Posts: 1
Topic starter  

I need to provide someone attempted to access a shared drive via Windows Explorer. Please note that the share IP address is non-existent so it would never be successful. So far I have checked the TypedURLs reg key, the RunMRU reg key, the IE history, and Windows event logs. I have found nothing and am wondering where the evidence is on a Windows 7 Enterprise system for failed shared drive attempts. Thanks in advance for any help.


   
Quote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Shellbags?

http//www.4n6k.com/2013/12/shellbags-forensics-addressing.html

jaclaz


   
ReplyQuote
(@cults14)
Reputable Member
Joined: 17 years ago
Posts: 367
 

Do you know why the attempt failed?


   
ReplyQuote
pbobby
(@pbobby)
Estimable Member
Joined: 16 years ago
Posts: 239
 

I know of no artifact - if the connection attempt would always fail.

To be certain I would do a test and snapshot your system.

Depending on your logging, you may find activity in your event logs.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

I know of no artifact - if the connection attempt would always fail.

To be certain I would do a test and snapshot your system.

Depending on your logging, you may find activity in your event logs.

This is interesting…I'm curious as to what level of logging would need to be in place, and then what evidence would there be of the attempt?

Thanks.


   
ReplyQuote
(@the-game)
Eminent Member
Joined: 13 years ago
Posts: 22
 

Hi Folks,

Just a thought, event log or may be if there is some kind of monitoring for the network log.
If its only one attempt them it wont be flagged by SIEM but if there is continuous request for something which is not present must get flagged.


   
ReplyQuote
Share: