Notifications

Clear all

Windows Artifacts from Upload

McCrea · 2009-05-24T04:47:07Z

Greetings, have a desktop that is said to have been used to upload 3 videos illegally to a website. I did not seize the computer, don't know how it was set up at scene. I am trying to confirm this was the computer that actually uploaded the videos.This computer has the movies on it, however I can find no activity that looks like an upload to the website on the day that the site says the upload happened. I have the IP from the Site Admin that gets me to the suspects gateway. I have the site address saved along with others in a macromedia flash folder on the target machine.Index.dat files go back to before the target date and no hits on the web site.NO hits in the registry for the target site.I am new to this game. Can anyone think of another Windows Artifact on the target machine that might confirm this machine was used/not used to upload the videos?Thanks, Cam

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Silvafoxx 16 years ago

15 Posts

9 Users

0 Reactions

2,691 Views

RSS

Silvafoxx

(@silvafoxx)

New Member

Joined: 16 years ago

Posts: 4

04/06/2009 12:45 am

Hi
A little late with my two cents worth.

In addition to what has been posted. If you can find any FTP applications that may exist have a look through the installation folders.
I found one called 'QuickConnect' within an application called SmartFTP.
In thier was a number of .xml files that showed an automatic login had been setup to the remote hosting site that displayed the offending website. This auto setup contained both username and encrypted password plus domain details and path to 'home' folder containing the images in question.

Also found a registry key 'LastVisitedMRU' showing access of a folder on the local machine by the smartFTP app which contained images that had been used on the site. Last written time and date for this key was a few seconds prior to the upload time and date of the subject image files found on the server.

Cheers

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

04/06/2009 1:23 am

Also found a registry key 'LastVisitedMRU' showing access of a folder on the local machine by the smartFTP app which contained images that had been used on the site. Last written time and date for this key was a few seconds prior to the upload time and date of the subject image files found on the server.

If you don't mind me asking, what's the full path to that key, and how did you definitively tie it to the smartFTP app and not the user?

Thanks,

ReplyQuote

Silvafoxx

(@silvafoxx)

New Member

Joined: 16 years ago

Posts: 4

05/06/2009 3:40 am

Hi keydat89

The full path was
Software/Microsoft/Windows/CurrentVersion/Explorer/ComDlg32/LastVistedMRU

The entry was one of the MRU list and I was viewing it through AccessData reg viewer. The value was as follows

S∙m∙a∙r∙t∙F∙T∙P∙.∙e∙x∙e∙∙∙C∙∙\∙D∙o∙c∙u∙m∙e∙n∙t∙s∙ ∙a∙n∙d∙ ∙S∙e∙t∙t∙i∙n∙g∙s∙\∙T∙e∙s∙t∙\∙M∙y∙ ∙ D∙o∙c∙u∙m∙e∙n∙t∙s∙\∙T∙e∙s∙t∙ ∙P∙i∙c∙s∙∙∙

(This key was from a test machine I set up to see if I could re-create it) This key appeared when using the SmartFTP app to upload from the 'Test Pics' folder.

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

05/06/2009 8:13 am

Right, but that's not directly associated with the app, it's associated with the user…

ReplyQuote

Silvafoxx

(@silvafoxx)

New Member

Joined: 16 years ago

Posts: 4

05/06/2009 7:39 pm

yeah…

sorry have I missed the point? I thought McCrea was looking for ways to try and show a particular machine was used to upload files.

Although having re-read my post I see how it can be interpreted that the app was acting without user control? If thats the case I will take more care in future.

cheers

By the way what does NoVA stand for?

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
244 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed