File servers and collaboration platforms such as SharePoint, Confluence, and OneDrive should have configured permissions to restrict unauthorized access to directories or specific files.

Sections

ID	Name	Description
AF003	Timestomping	A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope. nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value. Linux has the built-in command `touch` that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this: `touch -a -m -d ‘10 February 2001 12:34' <file>` The argument `-a` refers to the access time, `-m` refers to the modify time, and `-d` refers to the date applied to the target file.
PR004.001	Network File Exploration	A subject may search for, or otherwise explore files on a Network Attached Storage (NAS) device to identify sensitive information.
PR004.002	Collaboration Platform Exploration	A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

References