Greetings, have a desktop that is said to have been used to upload 3 videos illegally to a website. I did not seize the computer, don't know how it was set up at scene. I am trying to confirm this was the computer that actually uploaded the videos.
This computer has the movies on it, however I can find no activity that looks like an upload to the website on the day that the site says the upload happened.
I have the IP from the Site Admin that gets me to the suspects gateway.
I have the site address saved along with others in a macromedia flash folder on the target machine.
Index.dat files go back to before the target date and no hits on the web site.
NO hits in the registry for the target site.
I am new to this game. Can anyone think of another Windows Artifact on the target machine that might confirm this machine was used/not used to upload the videos?
Thanks, Cam
My first step would be to replicate uploading to the website. Use file system monitors, registry monitors, and network sniffers (if you want) to capture every bit of information that happens during a benign upload to the target website.
When done, search for that information on the suspect computer.
Check for alternative browsers…
What software tools are you using for the analysis?
Index.dat files go back to before the target date and no hits on the web site.
NO hits in the registry for the target site.I am new to this game. Can anyone think of another Windows Artifact on the target machine that might confirm this machine was used/not used to upload the videos?
I assume you have already verified that the files on the server and the files on the computer are bit-by-bit identical. (If file names differ, search for the remote filenames on the computer.)
Do you know how the upload took place? What kind of software was used? Does the site accept uploads by FTP? HTTP? other protocols? perhaps even some kind of network shares? Or P2P? What software on the computer (and off it – on USB sticks, CDs, external hard drives, etc.) can do those protocols? Don't look just for installed software – look for all software, and then identify the software that can do uploads of *any* kind.
Do you know when the upload took place to a reasonably short period? Look for activities at that time. 'Windows' is a bit too broad to help – it's could be anything from 3.1 to Media Server or Vista. (Don't forget to take DST into account, and don't forget to check that someone *did* verify that the computer was on 'true' time and 'true' TZ when it was taken – and that includes the server.)
You seem to know the IP address of the target – but is that the target for uploads, or just the target for downloads? Is there only one upload IP address, or are there several? Search the entire drive for domain addresses and IP addresses to the upload servers, not just the registry. (This means researching the target site.) I hope it goes without saying that 'entire drive' includes unallocated sectors.
Keep a look-out for anonymizing software – for instance, the user may not have uploaded directly, but to a proxy/gateway. Are there any IP addresses on the system that identify such sites?
Very little of this is 'Windows' artifacts. It's mostly application software artifacts and finding the right things to search for.
Ultimately, if information about uploads could have been deleted from the computer – when would that have happened? What traces would such deletions leave?
And of course, keep a lookout for indications that the whole thing worked some other way around – that the files originated on the server and were brought to the examined computer. And possibly even that the files entered the computer some other way – from an external drive, or a local network share.
Added if you're new to this game, be sure to manage your time as well as the evidence – it's too easy to waste time on investigating the wrong thing.
Most of the advice posted so far is excellent and should be strongly considered.
Some of the biggest things pointed out include, which version of Windows are you dealing with? For example, a potential means for narrowing down your search is to determine *when* this transfer took place…you may be able to do so with the last access times on the files. However, by default, Vista does not update last access times.
> NO hits in the registry for the target site.
What were you looking for?
> ..I can find no activity that looks like an upload to the website on the day
> that the site says the upload happened.
What would this look like, in your mind?
There's a good deal here left uncovered. For example, did the upload occur due to user activity, or the result of malware? Was it via HTTP, FTP, or some file sharing protocol?
Keydet89 covers the thread to this point very well. It is the balance of the art and science of forensic investigation. You have to frame your investigation before you start doing any of the technical work. Critically thinking about the 5 W's who, what, where, when and why before you start trying to parse the bulk/raw data will be more efficient and avoid frustration that can take you out of the investigation mentally. As you continue the investigation and get "stuck", refer back to how you framed it originally so you do not stray far off your path.
Sometimes your evidence is not going to be absolute, and instead is merely going to be corroboration of facts obtained from other sources. In your case, you already have corroborative evidence
Files were said to be uploaded from X.
Matching files were located on X.
Presumably, you have matching file hashes to strengthen the quality of the match.
There are many reasons why there is no matching internet log. Not being able to find the logs is not necessarily detrimental to the case, but it is something you need to address in your evidence.
Perhaps a little late. However have you seen an IRC clients on the machine. namely MIRC or Xchat2. Both of these have an FTP capability built in. Also, as previously suggested I'd check the chesksum of the data on the site agianst that on the machine. If you haven't found and FTP client or any relevant history showing a connection to the site you may be bo on a wild goose chase.
Establishing what kind of user you're dealing with will help you quickly narrow down what kinds of things you're looking for.
My two cents.
Thanks to all for the excellent advice. I will work through all the suggestions i this week and post the results.
Cheers, Cam