Assignment Title: Malicious PDF investigation Introduction The aim of this assignment is to evaluate your understanding of security threats, techniques for monitoring and detecting malicious activities, plan and carry out analysis of an attack, and explain relevance and critically of your investigation. Moreover, your understanding of forensics investigation tools, procedures, and legal and ethical obligations would be evaluated in line with module intended learning outcomes. You are required to answer all given questions and provide detailed discussion and analysis of your answers. Note that the word account for this assignment is (3000 words). You are expected to use materials provided to you in the lecture series plus information obtained from external sources in the course of doing this assignment. This information should then be used in answering given questions that reflect your understating of questioned concepts. Submission A report (in MS Word or PDF format only) containing all the elements of your solution and answers to all questions must be submitted on 15.08.2015, 4.00pm. The Scenario Ali is a famous banking system security administrator with lots of successful financial case investigation! Ali is recently contacted by a financial company called "Best Financers (BF)" to perform forensics work on a recent incident that occurred. One of BF employees received an email from a fellow co-worker that pointed to a PDF file. Upon opening the file, the employee did not seem to notice anything, however, recently they have had unusual activity in their bank account. BF was able to obtain a memory image of the employee’s virtual machine upon suspected infection. BF Asked Ali to analyse the virtual memory (VirtualMemory.vmem file) and report on any suspected activities found. Since Ali is very busy these days he has asked you to conduct this investigation and answer following questions (please make sure your answers are supported by detailed explanation of investigation process undertaken in each question, include needed snapshots in supporting your investigation, make sure all snapshots are sharp and of high-quality, and please provide in-depth discussions for each answer): 1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? 2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? 3. List any suspicious URLs that may be in the suspected process’s memory. Are there any processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? 4. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit that would be affecting the victim’s bank account? Are there any related registry entries associated with the payload? 5. What technique was used in the initial exploit to inject code in to the other processes?