Thank you for your time reading this. I would like to give a brief summary and timeline of my issue. Also note, I have changed the dates that I am using to protect my client.
I have a client that received an email from an unknown person on August 1st, 2016. This email was sent to his personal Gmail account and it was viewed via a Web Browser. This email contained attachments with proprietary information.
I am trying to show within reason, this was the first time my client ever received an email from this unknown sender. There are many things that I am reviewing for this, but there is one in particular that I thought it would be worth getting some input on. I am seeing references to the unknown email address prior to August 1st, 2016. I have validated my findings in both FTK and EnCase.
Below I have a timeline
7/15/2016 (Last Modified)
untitled\F\Windows.old\WINDOWS\WinSxS\amd64_microsoft-windows-
msxml30_31bf3856ad364e35_6.3.9600.17415_none_79793b816a939538\msxml3.dll
7/18/2016 (Last Modified)
untitled\F\Lost Files\amd64_c8e263fc325702a2371fef91ff72edd9_b03f5f7f11d50a3a_4.0.9600.18236_none_87f1e200d48064f1.manifest
What is also interesting, on this date, the machine was upgraded from Windows 8 to Windows 10. This was not invoked by the client, but it happened automatically - as I have been told.
8/1/2016
Any suggestions or input would be greatly appreciated. In the meantime, I am running a virus scan on all items in my collected image along with recovery of Private Web Browsing from Edge.
It is strange.
The file found in "lost files" could be anything (and the contrary of it).
On the other hand the file in WinSxS has two well defined characteristics
1) it is in the Windows Side By Side repository (which is normally used by the Operating System ONLY to store various versions of - usually - System libraries and that can be considered - loosely - and extension of \System32\)
2) it is a DLL (a Dinamyc Link Library) which is to all effects a PE file, an executable with a checksum
Given these two characteristics, it should be possible to find an original (from Microsoft) file msxml3.dll and compare it with the one in which you found the "unknown email address" and also verify if it corrupted by checking the PE checksum of the dll.
The file - possibly but not surely - may be within the ones that the SFC tool can verify.
Files in WinSXS can also be hard or soft links to other files, but if this was the case, you would have find another one.
The folder name suggests that the file is version 6.3.9600.17415 which corresponds to Windows 8.1 (not 8, nor 10).
It is improbable that a MS system DLL contains an "unknown email address", the only reason why it could be there could be a filesystem error (or a direct write to disk).
Personally I would
1) check the file in a tool like PE checksum or similar the file internal checksum
2) check the filesystem for errors/inconsistencies
3) find a way to procure an original file and compare it (this might be not really easy, as likely there are many versions of that .dll)
jaclaz