A unique facet of this investigation that I want to focus on is the capabilities of the potential malicious actor. They're certainly more capable than a typical inside user and likely more motivated to cover tracks than an external attacker. With that in mind, you have to consider the potential for deleted files, cleared logs, hidden entities, and more. Since we're concerned about visits to public forums, that might mean expected browser artifacts aren't available. The good thing is that there are often multiple places to find artifacts of visited URLs, even when you only have the disk to work with. For example, registry keys like TypedPaths.

Some evidence sources can prove an event occurred, but they can’t prove it did not. That's why we examine multiple sources, particularly in cases such as this one.

Speaking of covering tracks, what do you suppose are the most common techniques insiders might use to cover tracks on systems they're using for malicious activity? Where would you find artifacts of their occurrence?

That’s something to think about… 🚀 #InvPath #DFIR #SOC

@chrissanders88 I would check if the forum domain names appear somewhere in the browser history or perhaps even concrete URLs is know. Furthermore, if there are valid credentials in browser credential storage or session cookies for the forums.

If known, I would check if the file names that were used for leaking in the forum exist(ed) on the system by searching for them in the file systems as well as recently opened files.

Generally, I would check for existence of large archives if files were leaked this way and for existence of the leaked data itself on the system.