Recently, I had the opportunity to create a forensic challenge at work that focused on data loss. The scenario included a several instances of data exfiltration but one specifically seemed more forensically challenging than the rest. A portion of the challenge included a zip file that was uploaded directly from a mapped network drive to Google Docs. The file was never logically written directly to the C: drive.
Participants were given only the memory dump and a dd of the workstation hard drive to work with.
No other information was provided.
I threw together some slides on how I tackled the problem. Working through the process manually taught me WAY more about zip files than I ever wanted to know but I am a better forensicator for it.
Here are the slides: