In this article, our focus is on exploring a detection on two distinct types of files and devising improved investigative approaches for them which will help us in turn, to write better tickets and improve your skills while we're at it!
//Unfinished Download Files
\\Device\\HarddiskVolume3\\Users\\349587501\\Documents\\Unconfirmed 636031.crdownload
D:\\My Downloads\\Unconfirmed 636441.crdownload
//Cache Files
\\Device\\HarddiskVolume3\\Users\\349587501\\AppData\\Local\\Google\\Chrome\\User Data\\Profile 1\\Cache\\Cache_Data\\f_00054f
C:\\Users\\User\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\Cache_Data\\f_0000de
So, how can we transform these seemingly cryptic paths into valuable information?
Browsing Forensics is a beast, and deserves a separate book altogether. We'll be focusing on the history database which houses information on Downloads and Website Visits
%userprofile%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\history
To maintain focus and simplicity within the scope of this article, our scenario centers on a straightforward user activity—specifically, the act of manually downloading a file onto the disk. We exclude considerations of the browser caching a file or malicious script, which typically occurs during runtime.
Our Browser of choice would be a Chromium based Browser - Google Chrome
Before investigating an activity, let's take a crash course on what these files are in the grand scheme of web browsing activity.
The disk cache consists of at least five files: an index file and four data files known as block files. The index file keeps track of the block files by managing the start of few linked lists that point to a ranking node, which in turn points to a previous or next ranking node. Block files contain records of fixed sized data, where data_0 has the smallest chunk, and incrementally increases to the largest chunk in data_3. Cache entries that are larger than a multiple of 4 of the largest block size gets relegated to its own separate file. These separate files are prefixed with an f_ followed by 6 characters that represent 3 hexadecimal bytes (e.g.. f_000075); this name is then referenced back in one or more of the block files to maintain linkage.
%userprofile%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache
Let's take a look at what happens when a user downloads a file onto the disk without tripping any detection mechanisms. We'll then contrast that with what happens when the chain of events is interrupted if the file turns out to be malicious.