±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35628
New Yesterday: 3 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Determine the way that a file transferred to the PC

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

khalloud
Newbie
 

Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 08:30

I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c:\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??  
 
  

jaclaz
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 11:14

- khalloud
I wonder how to know how the file transferred to the PC ??

IS it from external storage ?? or via network ??

in my case I found the file in c:\user\public\download

may be it download from internet ?? but there's no internet artifact !!!

so how can I determine the way that this file come to PC ??


Which kind of "internet artifact" would you have expected, looked for and failed to find?

I mean, let's say that you run (say) curl:
curl.haxx.se/
to get a file from the internet.

What artifacts would you expect?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

khalloud
Newbie
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 12:45

I mean that I searched in this PC to check if the user use internet
I suppose that file in C:\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??  
 
  

athulin
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 13:13

- khalloud
in my case I found the file in c:\user\public\download


Is that directory configured as used for downloads in any software on the examined computer?

Some software add an ADS to show that a file has been downloaded: Zone.Identifier. While its presence is not a definite proof of
download, nor its absence proof that it wasn't downloaded, its presence is is still a fairly strong suggestion.  
 
  

kastajamah
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 16:25

Have you looked at a timeline view and see what else was being accessed around the time the file was created in the download folder?  
 
  

jaclaz
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 18:02

- khalloud
I mean that I searched in this PC to check if the user use internet
I suppose that file in C:\user\public\download come from internet but there's no sign to can say that

so that's my question how can I determine the way that file come to this PC ??

is it from external storage or by internal network ??


The whole point is that you cannot.

You may find artifacts from a specific "internet related tool", such - as an example - the browser cache, but if the file was downloaded through another tool (such as the given example curl or from "direct access" from within another program you would find nothing.

As Athulin stated, some software may add an ADS (Alternate Data Stream) related to the "zone identifier" to the file (provided that the target filesystem is NTFS, which is not necessarily the case), some reference:
hshrzd.wordpress.com/2...a-streams/

But - besides programs that don't add it - nothing prevents from adding one to an existing file or to strip one from a file that has it.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

kastajamah
Senior Member
 

Re: Determine the way that a file transferred to the PC

Post Posted: Jan 09, 19 22:41

Is it possible the subject put the file in the Download folder to store it there and did not download it from anywhere? Just another thought.  
 

Page 1 of 2
Page 1, 2  Next