±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34837
New Yesterday: 0 Visitors: 121

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

General thoughts on data dump that's been encoded to mp4

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

General thoughts on data dump that's been encoded to mp4

Post Posted: Thu Dec 07, 2017 6:19 pm

Hi all,

I've been looking at an asset on and off in Mandiant Redline regarding some data that was recently alerted on DLP for exfiltration. It turns out that we noticed some unusual data file names from a recent report audit and found that the user was uploading data to Vimeo via Chrome. However, I narrowed down on the timeline and I'm a little stumped as to how I might be able to better get an idea of how to determine what was really uploaded.

The data was clearly at rest and in use before transit so it had to get on the asset somehow. If I use the Timeline, I can correlate the Chrome events that correspond to the DNS requests to Vimeo, however (either I am blind here) or I am not seeing where the data was fetched from at rest to become in use with Chrome via upload and in transit to Vimeo. Has anyone had any experience with Redline and may be able to offer some suggestions?

Thank you and happy holidays



Page 1 of 1