Notifications
Clear all

Uploads

10 Posts
4 Users
0 Likes
664 Views
(@wyche)
Posts: 5
Active Member
Topic starter
 

Hey all,

What is the best way to find uploaded files? Downloads are fairly obvious since they'll reside on the machine for a period of time. Outside of using dates and timestamps, how else can you confirm files uploaded from a PC?

 
Posted : 26/09/2019 7:17 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Browser History

 
Posted : 26/09/2019 9:55 pm
(@wyche)
Posts: 5
Active Member
Topic starter
 

Looked through that, not seeing any uploads

 
Posted : 26/09/2019 10:08 pm
(@mcman)
Posts: 189
Estimable Member
 

Uploads to where? Web based cloud storage? app based cloud storage? FTP? SSH? HTTP? Mail? P2P? Lots of different methods and you'll probably want to narrow your scope of what you're looking for.

Uploads from what source? OS? You said PC but Win/Mac/Linux all have different ways to natively track network activity. Apps also have different details you could utilize.

Igor mentioned the most obvious one, browser activity is useful and most common but not very helpful if they had Dropbox app or something similar installed or used a different method mentioned above.

You need to first understand the system and methods to get data off a system and then once that's narrowed, you should be able to target some specific artifacts and logs that can help identify data transferred. Ultimately even then it's still not a guarantee and network source information may be helpful or necessary.

Jamie

 
Posted : 26/09/2019 10:52 pm
(@wyche)
Posts: 5
Active Member
Topic starter
 

Windows in this case. I was speaking in general terms of uploading to anywhere, could be dropbox, could be any cloud base. However, here is a specific use case - Someone logs into their comcast email account via a browser. They send an email via the browser to themselves and attach files from the machine they are on. History will show the URL visits but not necessarily a file attachment.

 
Posted : 27/09/2019 12:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Given it's Windows, check the BITS Client Event Log…you'll find download, as well as upload jobs.

A lot of IR firms will say during engagements that "no evidence of data exfiltration was found", without actually checking this Event Log.

 
Posted : 27/09/2019 7:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Check for FTP script files that use the 'put' command.

 
Posted : 27/09/2019 7:14 pm
(@wyche)
Posts: 5
Active Member
Topic starter
 

What could be found in the BITS logs? I'm looking there for file names transferred but not finding any.

 
Posted : 30/09/2019 12:25 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What could be found in the BITS logs? I'm looking there for file names transferred but not finding any.

What is this "BITS log" you're looking at? What is the file name and path?

 
Posted : 30/09/2019 12:32 pm
(@wyche)
Posts: 5
Active Member
Topic starter
 

It's an events log

 
Posted : 30/09/2019 2:40 pm
Share: