General thoughts on data dump that's been encoded to mp4

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)

General thoughts on data dump that's been encoded to mp4

Post Posted: Thu Dec 07, 2017 6:19 pm

Hi all,

I've been looking at an asset on and off in Mandiant Redline regarding some data that was recently alerted on DLP for exfiltration. It turns out that we noticed some unusual data file names from a recent report audit and found that the user was uploading data to Vimeo via Chrome. However, I narrowed down on the timeline and I'm a little stumped as to how I might be able to better get an idea of how to determine what was really uploaded.

The data was clearly at rest and in use before transit so it had to get on the asset somehow. If I use the Timeline, I can correlate the Chrome events that correspond to the DNS requests to Vimeo, however (either I am blind here) or I am not seeing where the data was fetched from at rest to become in use with Chrome via upload and in transit to Vimeo. Has anyone had any experience with Redline and may be able to offer some suggestions?

Thank you and happy holidays

BT

tateconcepts
Newbie
    Page 1 of 1




    ± Forensic Focus Partners

    ± Your Account



    Site Members:

    New Today: 0 Overall: 33166
    New Yesterday: 0 Visitors: 214

    ± Follow Forensic Focus

    Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

    RSS feeds: News Forums Articles

    ± Latest Articles

    ± Latest Webinars


    Build a Mobile Site
    View Site in Mobile | Classic
    Share by: