Hey all,
What is the best way to find uploaded files? Downloads are fairly obvious since they'll reside on the machine for a period of time. Outside of using dates and timestamps, how else can you confirm files uploaded from a PC?
Browser History
Looked through that, not seeing any uploads
Uploads to where? Web based cloud storage? app based cloud storage? FTP? SSH? HTTP? Mail? P2P? Lots of different methods and you'll probably want to narrow your scope of what you're looking for.
Uploads from what source? OS? You said PC but Win/Mac/Linux all have different ways to natively track network activity. Apps also have different details you could utilize.
Igor mentioned the most obvious one, browser activity is useful and most common but not very helpful if they had Dropbox app or something similar installed or used a different method mentioned above.
You need to first understand the system and methods to get data off a system and then once that's narrowed, you should be able to target some specific artifacts and logs that can help identify data transferred. Ultimately even then it's still not a guarantee and network source information may be helpful or necessary.
Jamie
Windows in this case. I was speaking in general terms of uploading to anywhere, could be dropbox, could be any cloud base. However, here is a specific use case - Someone logs into their comcast email account via a browser. They send an email via the browser to themselves and attach files from the machine they are on. History will show the URL visits but not necessarily a file attachment.
Given it's Windows, check the BITS Client Event Log…you'll find download, as well as upload jobs.
A lot of IR firms will say during engagements that "no evidence of data exfiltration was found", without actually checking this Event Log.
Check for FTP script files that use the 'put' command.
What could be found in the BITS logs? I'm looking there for file names transferred but not finding any.
What could be found in the BITS logs? I'm looking there for file names transferred but not finding any.
What is this "BITS log" you're looking at? What is the file name and path?
It's an events log