±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34963
New Yesterday: 4 Visitors: 133

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Determine the way that a file transferred to the PC

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Determine the way that a file transferred to the PC

Post Posted: Thu Jan 10, 2019 12:24 am

Thank you guys for your explanation  

khalloud
Newbie
 
 
  

Re: Determine the way that a file transferred to the PC

Post Posted: Thu Jan 10, 2019 9:48 am

Look at email attachment interactions during the same time period.  

UnallocatedClusters
Senior Member
 
 
  

Re: Determine the way that a file transferred to the PC

Post Posted: Tue Jan 15, 2019 5:27 am

- khalloud
I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c:\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??


Create a timeline of system activity. Given the number of possible ways a file could get on the system, it might be a good idea to create a mini-timeline or overlay of just user activity. I did this very recently...created a timeline just from the user's shellbags, RecentDocs, UserAssist and web browser history, and it was very revealing. Showed one user accessing another user's Desktop folder.

Be sure to include Windows Event Log metadata, particularly from the Windows PowerShell Event Log.

As you haven't shared the version of Windows, it's possible that there may be something available in the PowerShell Console History file, so check those for the users on the system. You can narrow this down by determining which user was logged into the system at the time that the file was created.

I'm not sure what you're considering an "internet artifact". For example, you may not have found a WebCacheV01.dat, but did the user access Chrome instead? If so, get a copy of hindsight.

Once you start investigating this, the context will begin to fill in.  

keydet89
Senior Member
 
 
  

Re: Determine the way that a file transferred to the PC

Post Posted: Tue Jan 15, 2019 7:36 am

- khalloud
I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??


Check the NTFS file permissions. Are they inherited or not? One way to find out if the file was copied, moved from another NTFS device or not.
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 

Bunnysniper
Senior Member
 
 
  

Re: Determine the way that a file transferred to the PC

Post Posted: Wed Jan 16, 2019 9:59 pm

Look to see if the end user opened up that file!

Link files and Jump List have all kinds of information on the file that it references such as a MachineID. Check out Harlan Carvey's post:
windowsir.blogspot.com...lysis.html  

jahearne
Member
 
 

Page 2 of 2
Go to page Previous  1, 2