Guaranteed Higher Grade!
Free Quote
Learning Outcomes Assessed
LO1: Discuss the need for and uses of Digital Forensics
LO2: Critically evaluate and implement Digital Forensics techniques
LO3: Analyse malware and perform intrusion analysis
Submission Information
This 2750 words report (with 10% flexibility) should be submitted online via Turn-it-in on CO7606 Moodle page. The work should be submitted as a MS Word Doc (.docx) and should be properly referenced using the APA referencing system.
All components must be submitted to avoid receiving a mark of zero.
Any late work penalties for assignments will be calculated using the latest submission date/time.
Permissible word count excludes the student’s name, title of module and assignment, references to sources, bibliography, code snippets, graphs, maps, diagrams, captions and appendices.
Extensions and Plagiarism
Extensions should be requested through the online system available on the Registry services pages on Portal. Late work is penalised at the rate of 5% per day or part thereof.
The material you submit must be your own work. The penalties for plagiarism are severe. The minimum penalty is usually zero for that piece of work. Further information is available at Portal > Support Departments > Academic Quality Support Services > Academic Integrity
Hints and Tips are in Red. Otherwise everything else is a direct copy from the Assessment brief. Note that the assessment hints and tips are not a complete list of what you should do, they just add onto what the assessment brief is asking to give some examples and context where it would be beneficial to you.
Read this whole brief before starting; both the scenario and all tasks.
You are working for a very small company, Chester Digital Forensic n’ Stuff (CDFnS), which advertises itself as providing Digital Forensics to organisations amongst other things. The company has just set up, and the director has employed you as its sole Cyber Security Specialist who has training across the field of cyber security.
CDFnS, being new, has no formal procedures yet laid out for anything.
CDFnS has just been contracted by a company, Thornton Delivery Services (TDS), to provide them support in identifying a suspected data breach at TDS.
About Thornton Delivery Services (TDS)
TDS is a national delivery company based at Thornton Science Park. They employ 50 staff including administration, drivers, and warehouse workers. Their system is reliant on IT systems. Their Business Systems comprise of the following:
oActive Directory
oRoles: DNS, DHCP, File Server
oDefault logging
oFinancial software for tracking and accounting
oAsset software for tracking parcels
TDS Data Breach
The Administrator occasionally looks at internal traffic stats for fun in the odd month he is not overworked, and this time, on looking at stats over the previous months, he had noticed something suspect: The Administrator at TDS noticed that there had been a lot of traffic from the Windows Server 2019 firstly to one of the internal Windows 7 client machines, and then by the next day out directly from the Server to the Internet. When the data went to the Windows 7 client machine, and out from the Server, it went late in the evening. The Windows 7 client’s user was at home at both times.
The Administrator is not experienced in analysis of logs or in digital forensics.
Task 1:
You need to act swiftly to preserve as much evidence as you need to uncover what is going on.
TDS is not expecting any downtime at the moment.
Describe and critically analyse the approach you will take from a technical perspective to develop an understanding of what has happened.
Task 1 is purposely vague because we are allowing you a wide scope to develop your own critical thinking in your approach, but there are some hints below of what you might want to consider.
Notice that the organisation has Active Directory installed. Are the client Pcs joined to the domain? Are the logs saved locally or remotely? What is the benefit of both?
At the moment you’re looking at a breach that has been initially noticed from the following Operating Systems:
-Windows 7 PC
-Windows Server 2019 server
So for all of this tasks you should be describing your approach, and critically analysing your approach.
What will you request access to, and how will you use that data or information provided?
You would want access to the 2 computers for sure, but would you need to check out the other computers? Why so? What could have happened on them?
What is this data you will need access to? Do you need to know what websites staff have been visiting? Do you need to check their emails? Who do you talk to get this?
Are you in a legal position to have access to this data?
Consider multiple possibilities without coming to early conclusions. Establish some sort of process and express it possibly with the help of a diagram, flow chart, or other.
So here you might want to consider the 8 steps of forensics analysis we talked about in Week 2. Is there another framework you might consider?
You should purposely consider a wide range of options that might have happened. Did this come in through a social engineering attempt? An attack on the computer from outside? Server 2019 is new but Win7 is quite old. More options for attack there.
Identify any tools you may use, including built-in tools.
So think about what tools you could use at this point, would you go looking for indicators of compromise in the logs in event viewer? Eg. Known malicious Ip addresses, malwase hashes? What are some of the event IDs you could look for. Would you use third party tools? Is there a cost to them? A pros and cons list of different tools and options would be good to see in a table.
Remark upon the impact on the business of the approach(es) you decide to take.
What action will running these tools have? Will it affect the integrity of the machine? Will we lose or tamper with existing files/logs by doing anything here that could hinder our efforts later on?
Again the format of this is quite open to you to choose how to go about answering this. I would advise you to consider these options, but make sure you do it yourself. More marks will be awarded for critical thinking.
Task 1 ends here. Now read this and answer Task 2.
CDFnS Makes Progress
Following Task 1, you find out that:
Some logs have been deleted on the Server (the security logs that are normally viewable in Event Viewer).
Thousands of logon attempts were made from the Windows 7 client to the Windows Server before successfully getting access to the admin account. These attempts were made from the client machine on the same evening that it was also downloading files from the file server under the user’s account, with access to limited number of files.
Some logs have been deleted on the Windows 7 client.
Once the attacker had gained access to the Server admin account, he could access any files on the file server, and more confidential files were accessed.
You propose to take a memory dump and copy of the hard disks for each machine.
TDS would like to get to the bottom of this, and accepts, even if they have to take the server offline overnight (for not more than 12 hours).
So you’re proposing disk dumps and memory dumps of both the win7 and server 2019 machine now. Your process should take no longer than 12 hours. Getting this done in less than 12 hours all depends on your method of interrogating these dumps.
Task 2:
Explain the benefit of taking memory and disk copies of both machines. For each, what can you expect to determine?
What can you find in the RAM dump that you can’t find in the disk dump? And vice versa.
What do you get from a disk dump you cannot get from analysing logs?
For either the Windows 7 client or the Windows Server 2019:
Describe briefly the process of taking a memory copy and a disk copy, minimising impact.
For both memory and disk images, describe and critically analyse the approach you would take from a technical perspective to develop a further understanding of what has happened.
Identify any tools you may use, and the use of those tools.
Consider the precaution taken and the reason for those cautions.
This is all quite self-explanatory. So for the server 2019 OR Win7 OS (you need to specify), you need to talk about software/hardware tools that you could use to take a disk dump and a memory dump for each of them. Show the process of this in screenshots for more marks. You should make sure you reference your screenshots with your J number if it was your own screenshot. Else add a reference to the author of the screenshot.
The tools that you use, are they free or paid? What are the pros and cons of each?
End of Task 2.
Task 3:
The TDS Administrator has had to deal with many staff opening phishing emails containing malware. E.g. Word Documents, PDF files, ZIP files. They would like to understand measures they can put in place to help prevent users from infecting their computers.
The Administrator already knows about Anti-Virus solutions, but these have often not detected malware where it was actually present. From a high-level overview, propose a list of malware analysis tools that the Administrator could use to start to perform basic malware analysis. You should compare and contrast these different tools and state if they are to be used for static or dynamic analysis. You can categorise these tools however you see fit. For example:
1.Debugger
2.Disassembler
3.Decompiler
Again, with task 2 this is quite focused. You should describe the pros and cons of various malware analysis tools, categorising them as you wish. You might want to use the example above of 1,2,3. But you should make it clear whatever you choose, that you define if they are static or dynamic analysis tools (or a mixture of both).
For each of these tools, you should demonstrate that you have actually used them in order to give a recommendation on these pros and cons. Do this by including screenshots of you analysing some sample malware files you have made or downloaded.
You can use malware samples downloaded online, or your own malware sample you want to make.
Finally, you should propose best practise recommendations, focusing on the risks of running malware and some of the preventative methods the Administrator should use when dealing with malware to avoid infecting themselves for real (eg. Malware escaping from a VM into the host machine).
Here you are focusing on setting up a malware analysis lab. But specifically, operational security to make it as least likely as possible for you to accidently run the malware you’re analysing when you didn’t mean to run it.
General Instructions
Assessment Criteria
Marks will be affected if the above instructions are not adhered to. As stated above, specific marks are allocated to questions and the level of marks awarded will depend on the depth and quality of answers. Characteristics of Distinction and Pass level answers are distinguished as below:
The Complete Guide to Controversial Essay Writing + Topics
Controversies lead to disputes, contentions, and arguments. The key to contending any controversy s
How to Write a 2000 Word Essay?
Life is a struggle between joy and sorrow, light and darkness. Therefore, a wise attitude in dealin
An Insight into the Number of Pages in a 2500-Word Essay
Have you ever judged your classmate who asks for extra answer sheets during exams? Well, we all hav
The Foolproof Tips to Choose the Perfect Essay Topic | 101 Guide
Selecting the perfect and unique essay topic can often feel like trying to search for a needle in a
