Techniques that can be used to discover evidence in support of program or file download by an attacker post-breach or during an attack.
Windows
OpenSaveMRU
Tracks files that have been opened or saved within a Windows shell dialog box. This happens to be a big data set, not only including web browsers like Internet Explorer and Firefox, but also a majority of commonly used applications.
WIN: XP+
SRV: NULL
Location
# WINDOWS XP
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
# WINDOWS 7+
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDIMRU
Interpretation and Investigative Notes
The * key
Tracks the most recent files of any extension input in an OpenSave dialog
The .%%% key (Three Letter Extension)
Stores the file info from the OpenSave dialog by specific extension
Around 80% of email is stored via attachments and are encoded with MIME/Base64 standard.
WIN: XP+
SRV: NULL
Location
Interpretation and Investigative Notes
MS Outlook data file found in these locations include OST and PST files. One should also check the OLK and Content.Outlook folder, which might roam depending on the specific version of Outlook used.
Not directly related to 'file download', however can give insight into pages visited which may link to other forensic artifacts such as prefetch etc. More verbose download details can be found int he Browser Download Manager artifact
WIN: XP+
SRV: NULL
Location
Interpretation and Investigative Notes
Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website that was access via a link.
Firefox and Internet Explorer have built-in download manager applications which keeps a history of every file downloaded by the user. This browser artifact can provide excellent information about what sites a user has been visiting and what finds of files they have been downloading.
Starting with XP SP2 when files are downloaded from the "Internet Zone" via a browser to an NTFS volume, an alternate data stream is added to the file which is named the Zone Identifier.
WIN: XP SP2+
SRV: 2003+
Location
Interpretation and Investigative Notes
Files with an ADS Zone.Identifier containing ZoneID=3 were downloaded from the Internet
# WINDOWS XP
%USERPROFILE%\Local\Settings\ApplicationData\Microsoft\Outlook
# WINDOWS 7+
%USERPROFILE%\AppData\Local\Microsoft\Outlook
# WINDOWS XP
C:\Documents and Settings<USERNAME>\Application\Skype<SKYPE-NAME>
# WINDOWS 7+
%USERPROFILE%\AppData\Roaming\Skype<SKYPE-NAME>
# INTERNET EXPLORER
# Version 8/9
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\Index.dat
# Version 10/11
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
#MOZILLA FIREFOX
# Versions 3-25
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\downloads.sqlite
# Versions 26+
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\places.sqlite
-- Table:moz_annos
#GOOGLE CHROME
%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History
# INTERNET EXPLORER
# Versions 8-9
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\
# Versions 10-11
%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat
# MOZILLA FIREFOX
# WINDOWS XP
%USERPROFILE%\Application Data\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\downloads.sqlite
# WINDOWS 7+
%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles<RANDOM-TEXT>.default\downloads.sqlite
