±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35244
New Yesterday: 3 Visitors: 172

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Determine the way that a file transferred to the PC

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

khalloud
Newbie
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 10, 19 00:24

Thank you guys for your explanation  
 
  

UnallocatedClusters
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 10, 19 09:48

Look at email attachment interactions during the same time period.  
 
  

keydet89
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 15, 19 05:27

- khalloud
I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c:\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??


Create a timeline of system activity. Given the number of possible ways a file could get on the system, it might be a good idea to create a mini-timeline or overlay of just user activity. I did this very recently...created a timeline just from the user's shellbags, RecentDocs, UserAssist and web browser history, and it was very revealing. Showed one user accessing another user's Desktop folder.

Be sure to include Windows Event Log metadata, particularly from the Windows PowerShell Event Log.

As you haven't shared the version of Windows, it's possible that there may be something available in the PowerShell Console History file, so check those for the users on the system. You can narrow this down by determining which user was logged into the system at the time that the file was created.

I'm not sure what you're considering an "internet artifact". For example, you may not have found a WebCacheV01.dat, but did the user access Chrome instead? If so, get a copy of hindsight.

Once you start investigating this, the context will begin to fill in.  
 
  

Bunnysniper
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 15, 19 07:36

- khalloud
I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??


Check the NTFS file permissions. Are they inherited or not? One way to find out if the file was copied, moved from another NTFS device or not.
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

jahearne
Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 16, 19 21:59

Look to see if the end user opened up that file!

Link files and Jump List have all kinds of information on the file that it references such as a MachineID. Check out Harlan Carvey's post:
windowsir.blogspot.com...lysis.html  
 

Page 2 of 2
Page Previous  1, 2