Most forensic investigations focus on what a user did with files on their own machine. But there's a category of activity that flies under the radar of even experienced analysts: files accessed from — or exfiltrated through — Windows file sharing and offline caching mechanisms.

A shared folder on a workstation. A cached copy of a network file that persists after the user disconnects. These aren't exotic attack techniques. They're built-in Windows features being used in ways their creators probably didn't intend forensic analysts to care about. And yet here we are.

------------------------------------------------------------------------------------------------------------

Why Shares Matter in an Investigation

The most obvious scenario is also the most common: a user — deliberately or accidentally — shares an entire drive or sensitive folder over the network. Anyone on the same network can now access those files remotely, and unless you're specifically looking for active shares, you might never realize the machine was functioning as a de facto file server.

This becomes critical in cases involving planted files or unauthorized access claims. If a machine has an open share pointing to C:\, and the investigation hinges on how a specific file appeared in a specific folder, the existence of that share is a material fact. Files don't have to be physically copied to a machine if they can be written there remotely through an open share.

The registry key that answers this question is:

SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\

Every share configured on the machine — including administrative shares — leaves an entry here. And each entry is surprisingly information-rich.

------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------

Client-Side Caching: The Silent Data Mover

Here's the scenario.

An employee wants access to a sensitive network folder even when they're not connected to the company network — say, while working from home or traveling.

Windows has a built-in feature for exactly this: offline files.

When enabled, files from a network share get silently cached to the local machine at

C:\Windows\CSC. 

From that point forward, they're available offline and remain on the local disk even after the network connection drops.

From a forensics standpoint this is significant for two reasons.

• First, it means files that appear to belong on a network server may actually be sitting on a local workstation's hard drive — accessible, recoverable, and completely outside the normal chain of file access evidence.

• Second, it means a user could enable offline caching for a sensitive shared folder, wait for the sync, then disconnect and walk away with a local copy of everything — without ever explicitly copying a single file.

------------------------------------------------------------------------------------------------------------

Putting the Two Pieces Together

Shares and offline caching work as a system — and understanding their interaction reveals the full scope of potential data exposure.

A share with CSCFlag = 16 or CSCFlag = 32 is quietly writing copies of every accessed file to

C:\Windows\CSC. 

That means a network share that appears to live safely on a server is actually populating a local cache on whatever workstation connects to it with offline files enabled. The data has effectively moved from the network to the endpoint — and without any explicit copy action by the user.

This has direct implications for several investigative scenarios:

• Unauthorized access claims: If someone argues they never had a local copy of a sensitive file, a populated CSC directory from a share with automatic caching enabled can directly contradict that claim.

• Exfiltration without explicit copying: A user who enables offline access to a sensitive share before a planned departure doesn't need to copy anything. The caching mechanism does it for them. And when they disconnect, the files are already local.

• Evidence recovery: Files cached in CSC may persist long after the share is removed or the network connection is severed. The cache directory becomes an independent source of evidence.

------------------------------------------------------------------------------------------------------------

The Accidental Share Problem

One scenario worth calling out specifically because it comes up more than you'd expect: users who share their entire drive without realizing the consequences.

Windows makes it surprisingly easy to right-click a folder, choose sharing options, and inadvertently expose far more than intended.

When this happens in an organizational context, and the machine is on a corporate network, the exposure window could be extensive. Any other machine on the network could have connected, browsed, and read any file on that drive — and unless detailed access logging was in place, there may be limited visibility into what was accessed.

Documenting shares early, before evidence is potentially removed or altered, is a best practice that pays dividends throughout the investigation.

-----------------------------------------------------Dean------------------------------------------