Youtube upload fore...
 
Notifications
Clear all

Youtube upload forensics.

1 Posts
1 Users
0 Likes
333 Views
(@marcusplexus)
Posts: 5
Active Member
Topic starter
 

Hi.

I am investigating strange uploads to IPs that point to youtube.com according to Sysmon (event ID 22).

The user has no clue what I am talking about. He was watching Youtube Videos during the day though. Unless the firewall is messed up (which would show up for hundreds of different hosts, not just one) I see multiple GBs going OUT, not IN for that specific host.

The protocol was 'quic' , the process 'Chrome.exe' from the right location (folder). Using $MFT, WinPrefetch I see no weird names dropped on the file system around that time. I see no .rar , .zip, .tar, .7z

I need to have a look at browser history, although I doubt I'll find anything there.

The user assures me Chrome has no plugin ( although I did not confirm that).

What bugs me is that - using $MFT - I can't find any type of file having the extensions allowed for uploads on youtube. And one transfer (as per the firewall session data) was 4.2GB. YouTube allows up to 2GB per upload only.

Any ideas?

 
Posted : 02/11/2019 2:43 am
Share: