When tasked with investigating potential data exfiltration by a former employee, I knew the process would involve meticulously examining digital artifacts to uncover the truth. The employee had access to sensitive data, and the company feared that files had been accessed, transferred, or removed. My primary goal was to track file access, identify possible exfiltration paths, and build a clear case. Here’s how I conducted the investigation in depth.
1. Forensic Imaging and Environment Setup
The investigation began with creating a forensic image of the suspect’s laptop to capture the system in its entirety. This disk image, created using FTK Imager, was securely preserved as both a working copy and an untouched original to ensure evidence integrity. Using Autopsy and EnCase, I explored both the disk image and RAM image to identify data that might not have been stored directly on disk, like credentials or cached sessions, that could indicate past remote connections.
2. SRUM Database – Monitoring Network Activity by Process
The System Resource Usage Monitor (SRUM) database, stored in C:\Windows\System32\sru\SRUDB.dat, became one of my primary sources of network activity. SRUM records network usage metrics on a per-application basis, so by querying it, I could track how much data each process used over time. Using SRUM-DUMP, I found that OneDrive.exe and explorer.exe showed unusually high network activity at suspicious times. Comparing these timestamps with known business hours raised red flags, as the data transfers occurred late at night—a classic indicator of covert activity.
3. Shellbags – Tracing Folder Access
To understand which directories were accessed, I analyzed Shellbags stored in the USRCLASS.DAT file. Shellbags provide records of folders opened by the user in Windows Explorer, offering clues to which directories might have contained sensitive data. By examining Shellbags, I confirmed that the user accessed folders associated with company financials and R&D documents just before leaving the company. Combined with timestamps, this artifact showed a deliberate navigation pattern, strengthening the case for intentional access to confidential information.
4. Thumbnail Cache – Visual Confirmation of Sensitive Files
The thumbnail cache files located in C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer offered visual evidence. Thumbnails can show previews of files that were opened even if the original files were deleted, as the cached images remain. Using ThumbCacheViewer, I found previews of documents with names indicative of sensitive content. One image was a screenshot of a document labeled “Q4_Financials,” which the organization confirmed was a highly restricted document. This provided a compelling, visual clue that sensitive files had indeed been accessed.
5. Registry Artifacts – Revealing Recent File and Command History
The registry provides valuable insights into a user’s activity, especially in NTUSER.DAT and USRCLASS.DAT. Here are some of the keys that played a significant role in the investigation:
- – RecentDocs (
\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs): This key listed files recently accessed through Windows Explorer. Several documents related to project reports and financial spreadsheets matched the thumbnail cache findings. - – TypedPaths (
\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths): This key showed network locations recently accessed, revealing multiple UNC paths (e.g.,\\CorpServer\Finance) that aligned with restricted financial data shares. - – RunMRU (
\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU): This key stored recent commands entered in the Run dialog. Commands referencing PowerShell with parameters for compression and archiving stood out, suggesting the user might have tried to zip files for easier transport.
- – RecentDocs (
6. USB Artifacts – Identifying Connected Devices and Usage Patterns
To check for removable media usage, I analyzed the USBSTOR key located in SYSTEM\CurrentControlSet\Enum\USBSTOR. Here, I found entries for a USB drive that had been connected multiple times during the period of interest. I matched this with Windows Event Logs (specifically Event IDs 2003 and 2100) that recorded precise timestamps for USB connections and disconnections, indicating possible data transfers during these sessions. This was highly suspicious, as external media is a known method of data exfiltration.
7. Windows Prefetch Files – Application Usage Analysis
Windows Prefetch files in C:\Windows\Prefetch track executable files run on the system and help me determine application usage patterns. I found prefetched files for 7z.exe and WinRAR.exe, indicating that these applications had been recently used. This matched the registry evidence that suggested the use of archiving tools. Further examination of Prefetch metadata showed that these files were accessed frequently, especially during non-business hours, hinting at possible data compression activities to reduce file size before transfer.
8. Event Logs – Monitoring File Access and Script Execution
The Windows Event Logs provided direct insight into the user’s actions, particularly in the Security and PowerShell logs.
- – Security Event Logs (
C:\Windows\System32\winevt\Logs\Security.evtx): Using Event ID 4663, which logs file access, I found that the user had accessed several restricted documents. The timing again aligned with other evidence, strengthening the case for unauthorized file access. - – PowerShell Event Logs (
Microsoft-Windows-PowerShell%4Operational.evtx): Here, I found logs of PowerShell commands that included file compression and the use ofInvoke-WebRequest, suggesting that data might have been exfiltrated via HTTP requests. Combined with the network activity in SRUM, this pointed to a potential method of covert data transfer.
- – Security Event Logs (
9. Sysmon Logs – Tracking Outbound Network Connections
Using Sysmon logs, especially Event ID 3 (network connection), I examined outbound connections and found several attempts to communicate with unknown IP addresses outside the company’s normal range. Cross-referencing these with known corporate IPs revealed that the addresses were not on any approved list. Additionally, the high network usage by OneDrive.exe around the same time raised suspicions about file synchronization to personal cloud storage.
10. Browser Artifacts – Evidence of Web-Based Data Transfer
Checking the browser cache, history, and cookies stored in C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default, I discovered multiple visits to third-party file-sharing sites, including Google Drive and Dropbox. Browser artifacts confirmed that the user had not only accessed these sites but also actively uploaded files, as shown by session cookies with “upload” in the request paths.
11. LNK Files – Tracking Document Access with Shortcuts
LNK files in C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Recent revealed specific document accesses. These shortcuts showed precise timestamps for when files were last opened, such as key project documents and finance spreadsheets. This evidence supported the notion that these files were intentionally accessed and potentially transferred, adding yet another layer of evidence to the overall case.
Conclusion and Final Report
The investigation uncovered a wealth of evidence indicating deliberate data exfiltration activities. Artifacts from SRUM, Shellbags, registry keys, event logs, Sysmon, and browser data all pointed to a pattern of unauthorized access, compression, and transfer of files.
In summary, the artifacts collected provided the following insights:
- – Accessed Documents: Registry keys, thumbnail cache, and LNK files identified sensitive documents accessed and previewed.
- – File Transfer Methods: Evidence from USB logs, network connections, and browser artifacts showed that files were likely copied to external drives and uploaded to cloud storage.
- – Obfuscation Tactics: Usage of PowerShell commands for file compression and archiving demonstrated possible intent to conceal the activity.
This case illustrates the power of forensic investigation, showing how a combination of artifacts can provide a cohesive story. By preserving, analyzing, and cross-referencing these data sources, I could confirm unauthorized data access and potential exfiltration. In my final report to the organization, I recommended stronger controls on USB access, better logging for cloud storage usage, and strict monitoring of PowerShell activities to mitigate future risks.
🚀 Ready to elevate your Digital Forensics and Incident Response skills?
Cyber Dojo’s DFIR Bootcamp is here to equip you with the expertise to thrive in the cybersecurity field. Cyber Dojo offers a DFIR Bootcamp that combines GCFE Preparation (FOR500) and GCIH Preparation (SEC504), this intensive course combines in-depth knowledge and hands-on practice, giving you the tools and confidence to tackle real-world DFIR challenges.
Take the next step in your cybersecurity career—join our DFIR Bootcamp and gain the edge you need to succeed! 🔍🛡️
Click on the link to view or DFIR Bootcamp: DFIR Bootcamp – Cyber Dojo
