Join Us!

FIle Transfer Loggi...
 
Notifications
Clear all

FIle Transfer Logging  

  RSS
jamesvogel
(@jamesvogel)
New Member

First I must say that I'm a relatively inexperienced member of the forensic community. I apologize for my lack of understanding and knowledge. I'm trying to develop a skillset and am relying on feedback from more experienced professionals for learning and guidance. 

I work for a private company who request that I review computers for data exfiltration. I use Magnet Axiom exclusively for analysis. I'm examining both physical hard drives and Microsoft O365 cloud data. I've developed a process for examining the hard drives in which I look for LNK files, Jumplists, USB connections, and the like.  However there seems to be limited data to glean from these artifacts. From the LNK files I can see when files are accessed from an external drive, but not necessarily when files are transferred to an external drive. I know that available USB drive connection history is limited and often unavailable. I was informed by a forensic contractor that there are logs that can be turned on to track file transfer activity. I would like to approach my IT dept. to see if its feasible to utilize this feature, but need to understand what to ask them to do. Can anyone give me some insight on this. Thank you.  

Quote
Posted : 22/05/2020 3:12 pm
jaclaz
(@jaclaz)
Community Legend

Depending on the specific Windows versions there may be suitable System Audit policies, check:

https://blog.compass-security.com/2019/04/investigating-data-leakage-via-external-storage-devices/

You will likely *need* a dedicated service running in the background recording USB activities, *like* (example):

https://www.novirusthanks.org/products/usb-logger/

But - since you are talking of a corporate environment, and specifically about a corporate environment where data is so sensible as to hire you, I believe you will need to ask about the implementation of a third party security solution *like* (examples):

https://www.eventtracker.com/Eventtracker/media/Eventtracker/files/support-docs/How-to-Monitor-Removable-Media.pdf

https://www.manageengine.com/products/active-directory-audit/removable-storage-auditing.html

jaclaz

ReplyQuote
Posted : 22/05/2020 3:45 pm
jamesvogel
(@jamesvogel)
New Member

@jaclaz

Thank you, this was very helpful.

ReplyQuote
Posted : 22/05/2020 7:23 pm
keydet89
(@keydet89)
Community Legend
Posted by: @jamesvogel

First I must say that I'm a relatively inexperienced member of the forensic community. I apologize for my lack of understanding and knowledge. I'm trying to develop a skillset and am relying on feedback from more experienced professionals for learning and guidance. 

I work for a private company who request that I review computers for data exfiltration. I use Magnet Axiom exclusively for analysis. I'm examining both physical hard drives and Microsoft O365 cloud data. I've developed a process for examining the hard drives in which I look for LNK files, Jumplists, USB connections, and the like.  However there seems to be limited data to glean from these artifacts. From the LNK files I can see when files are accessed from an external drive, but not necessarily when files are transferred to an external drive. I know that available USB drive connection history is limited and often unavailable. I was informed by a forensic contractor that there are logs that can be turned on to track file transfer activity. I would like to approach my IT dept. to see if its feasible to utilize this feature, but need to understand what to ask them to do. Can anyone give me some insight on this. Thank you.  

 

> ...available USB drive connection history is limited and often unavailable...

How so?

I would suggest that this may appear to be the case, if you don't fully understand what you're looking for, or at.

> ... need to understand what to ask them to do.

I'd ask the contractor.  Seriously.  If it's that easy, it should be just as easy to tell you what that looks like.

I'm not aware of any means by with data transfer to an external USB device can be definitively determined, given nothing more than a Windows installation.  I do know of one monitoring tool that can actually detect and report on this sort of data transfer...Digital Guardian.  It's a DLP agent that has been repurposed as an EDR tool, and it does show things such as files being archived and that archive attached to an email, files being moved to a USB device, etc.

 

HTH

ReplyQuote
Posted : 02/06/2020 1:52 pm
jamesvogel
(@jamesvogel)
New Member

@keydet89

Posted by: @keydet89

> ...available USB drive connection history is limited and often unavailable...

How so? 

I'm referring to the fact that timestamps are recorded when a USB Drive is first connected and last connected, but data concerning connections in between are overwritten. 

I would suggest that this may appear to be the case, if you don't fully understand what you're looking for, or at.

> ... need to understand what to ask them to do.

I'd ask the contractor.  Seriously.  If it's that easy, it should be just as easy to tell you what that looks like.

jaclaz posted this above https://blog.compass-security.com/2019/04/investigating-data-leakage-via-external-storage-devices/ I think that it's what our contractor was telling me...windows event logs, when enabled, that can point towards file transfers. Thank you for your input. 

I'm not aware of any means by with data transfer to an external USB device can be definitively determined, given nothing more than a Windows installation.  I do know of one monitoring tool that can actually detect and report on this sort of data transfer...Digital Guardian.  It's a DLP agent that has been repurposed as an EDR tool, and it does show things such as files being archived and that archive attached to an email, files being moved to a USB device, etc.

 

HTH

 

ReplyQuote
Posted : 02/06/2020 2:01 pm
keydet89
(@keydet89)
Community Legend

@jamesvogel

> ...I'm referring to the fact that timestamps are recorded when a USB Drive is first connected and last connected, but data concerning connections in between are overwritten. 

Yes, it depends on where you look.  For example, if you look in the Registry, yes, that can be the case.  However, if you look to the appropriate Windows Event Log, and combine that with other locations in the Registry, you get a more granular view.

 

 

ReplyQuote
Posted : 02/06/2020 2:07 pm
Share: