In both incident response and forensic investigations, artifacts related to downloaded files can be a valuable source of evidence.
In both cases, we often find key evidence including:
- The name and size of downloaded files
- The website from which the files were downloaded
- When downloaded files are attachments to an email, the tool used for sending the messages, the address of the sender, and of the recipient
- The tool used to download the files
- The time the files were downloaded
- The user account which downloaded the files
In incident response matters, the copying by cyber attackers of their hacking tools across to a victim’s IT environment is known as the ‘delivery’ step in the “Cyber Kill Chain”. This process often leaves evidential traces which helps to identify further attack activity, potential security holes, and the scope of the attack.
Once the suspicious downloads have been identified, we then search for evidence of them being executed as part of an attack. We also conduct further research and examination to determine the extent of compromise and other parameters which helps to understand the potential impact of the incident so executive decisions can be made.
In forensic matters, evidence of file downloads can support a legal proceeding to support unauthorised access or copying of confidential information. Further, we are often instructed to examine datasets to determine whether particular intellectual property has been accessed and copied. As our examination can determine the method of copying (e.g. browser/email/USB device etc), this evidence supports an application for either a ‘search order’ to preserve copied data, or destruction order to permanently erase the data. In worst case scenarios, we may also locate evidence of the confidential information that was downloaded, being then copied across to a new employer’s network and backup systems, which further complicates the recovery process.