SlideShare una empresa de Scribd logo

Malware analysis

Descargar como DOCX, PDF
A
Anne ndolo

Analysis on malware

Educación
1 de 20
1. Introduction Computer technology is the major integral part of everyday human life, and it is growing rapidly, as are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To counteract those computer-related crimes, Computer Forensics plays a very important role. “Computer Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”. A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorized access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or Encase) to ensure the computer network system is secure in an organization. A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team. This report will be focused on private investigations, since an incident occurred at a new start-up SME based in Luton. This report also includes a computer investigation model, data collections and its types, evidence acquisitions, forensics tools, malicious investigation, legal aspects of computer forensics, and finally this report also provides necessary recommendations, countermeasures and policies to ensure this SME will be placed in a secure network environment. 2. Case Study A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate. The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation. As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator
to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems. Your task is to investigate the team’s suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators. The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched. Deliverables Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following: • Malware investigation • Digital Forensic Investigation You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant. You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence. As a discussion contained within your report, you should also provide a critical evaluation of the existing tools and techniques that are used for digital forensics or malware investigations and evaluate their effectiveness, discussing such issues as consistency of the approaches adopted, the skills needed by the forensic investigators, and the problems related with existing methodologies (especially with respect to the absence of any single common global approach to performing such investigations and the problems that can result when there is a need to perform an investigation that crosses international boundaries). 3. Association of Chief Police Officers (ACPO) This forensic investigation will be conducted as per Association of Chief Police Officers (ACPO) guidelines and its four principles as well. There are four ACPO principles involved in computer-based electronic evidence. These principles must be followed when a person conducts the Computer Forensic Investigation. The summary of those principles are as follows (ACPO, 2013); Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court.
Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions. Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to. Computer Investigation Model According to Kruse II, W.G., and Heiser, J.G. (2010), a computer investigation is to identify the evidences, preserve those evidences, extract them, document each and every process, and validate those evidences and to analyse them to find the root cause and by which to provide the recommendations or solutions. “Computer Forensics is a new field and there is less standardization and consistency across the courts and industry” (US-CERT, 2012). Each computer forensic model is focused on a particular area such as law enforcement or electronic evidence discovery. There is no single digital forensic investigation model that has been universally accepted. However, it was generally accepted that the digital forensic model framework must be flexible, so that it can support any type of incidents and new technologies (Adam, R., 2012). Kent, K., et.al, (2006) developed a basic digital forensic investigation model called the Four Step Forensics Process (FSFP) with the idea of Venter (2006) that digital forensics investigation can be conducted by even non-technical persons. This model gives more flexibility than any other model so that an organization can adopt the most suitable model based on the situations that occurred. These are the reasons we chose this model for this investigation. FSFP contains the following four basic processes, as shown in the figure: Figure 1: FSFP Forensic Investigation Model
Source: Kent, K., et.al, (2006) The “Preserve and Document Evidence” arrow mark indicates that we must preserve and document the all evidences during the course of investigation, as this can be submitted to the court as evidences in some cases. We will discuss each and every process or stage of the FSFP investigation model in following sections. 5. Scope of Investigation The scopes of the forensic investigations for this case are as follows:  To identify the malicious activities with respect to 5Ws (Why, When, Where, What, Who).  To identify the security lapse in their network.  To find out the impact if the network system was compromised.  To identify the legal procedures, if needed.  To provide the remedial action in order to harden the system. 6. Legal Challenges of Investigation According to Nelson, B., et al., (2008), legal challenges before we start our forensic investigation are as follows:  Determining whether law enforcement assistance is needed, and if so then they may be available for assistance during the investigation, or else we have to submit the investigation report to them at the end of the investigation.  Obtaining written permission to conduct the forensic investigation, unless another incident response authorization procedure is present.  Discussing with the legal advisors to identify the potential issues which can be raised during the improper handling of the investigations.  Ensuring the clients’ confidential and privacy issues are accounted. 7. Initial Preparation It is obvious that before starting the investigation, we need to have a preparation in order to conduct the investigation efficiently. This is considered a proactive measure of investigation (Murray, 2012). The following steps need to be taken in the preparation stage:  Gathering all available information from the assessing the incident, such as severity of the incident.  Identifying the impact of the investigation on the SME business, such as network down time, duration of recovery from the incident, loss of revenue, and loss of confidential information.  Obtaining information of the networks, network devices such as router, switches, hub, etc., network topology documentation, computers, servers, firewall and network diagram.
 Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD, memory cards and remote computer.  Identifying the forensic tools which can be used in this investigation.  Capturing live network traffic in case the suspicious activities are still running with ‘netmon’ tools.  Documenting all the activities during the investigation which may be used in court to verify the course of action that was followed in the investigation.  Imaging the target devices’ hard drive and hashing them with MD5 for data integrity. 8. Collection “The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data” (CJCSM 6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation. They are volatile data and non-volatile data (persistent data). Volatile data is data that exists when the system is on and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data that exists on a system when the power is on or off, e.g. documents in HD. Since volatile data is short-lived, a computer forensic investigator must know the best way to capture it. Evidence can be collected locally or remotely. 8.1 Volatile Data: The following figure shows how to capture the volatile data. The forensic workstation must be located in same LAN where the target machine, in this case the Windows NT Server, is located. ‘Cryptcat’ tools can be used in the forensic workstation to listen to the port of the Windows NT server. Create the trusted toolset optical drive in the Windows NT server and open the trusted console cmd.exe and use the following command: cryptcat <ip address> 6543 -k key To capture the data at the forensic workstation, we use the following command: cryptcat -l -p 6543 -k key >> <file name>
Figure 2: Volatile data collection setup Source: Reino, A., (2012) Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:  Perform Volume Shadow Copy (VSC) analysis  Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems  Timeline Analysis & Windows Application Analysis  iPhone Forensics VIEW ADV FORENSICS The following table shows the Graphic User Interface tools, and their usage and outcome can be used in the computer forensic investigation. Table 1: Volatile Data Forensic Tools and their usage and outcome Source: Reino, A., (2012) We also use various Windows-based tools to capture the volatile data as follows: HBGray’s FastDump – Local Physical memory acquisition. HBGray’s F-Response – Remote physical memory acquisition
ipconfig – Collecting subject system details. netusers and qusers – Identifying logged-in users doskey/history – Collecting command history netfile – Identifying the services and drivers Finally, collecting the clipboard content is also very important in a computer forensic investigation. More evidence can be found from a machine which is still running, so if the anomalies are still there in the SME, then we can retrieve a lot of important evidence from the running processes, network connection and the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and so it must be ensured that the affected computers are not shut down in order to collect such evidences. 8.2 Non-Volatile Data Once the volatile data have been captured, then we will look into the non-volatile data. The first step in non-volatile data collection is to copy the content of entire target system. This is also called “forensic imaging”. Imaging helps to preserve the original data as evidence without any malfunction or changes in data which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using any of those forensic tools. Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic imaging and hard drive cloning is that forensic imaging can’t be accessed without forensic tools, but hard drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie., hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008). Data collection can be done in offline investigation and online investigation. Forensic imaging can be done with offline investigation. Live network traffic can be done with online investigation by using ethereal or Wireshark tools. Firewall logs, antivirus logs, and domain controller logs will be collected for the investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be documented in the chain of the custody log documentation. Chain of the custody log documentation is to maintain the integrity of the evidence from start to end of the investigation until this investigation report will be presented (Nelson, B., et al., 2008). Before carrying out any further processes, we need to image the disk bit by bit, which will access the entire volume and copy the original media, including the deleted files. After the disk is imaged, we should hash everything which will make sure that the data is authentic and the integrity of the data will be maintained throughout the investigation. The hash values must be
recorded in multiple locations and we must ensure that we do not make any changes to the data from the time of collection of the data till the end of the investigation. Most tools help in achieving this by accessing the media in a read-only state (SANS, 2010). Target System Hard drives, External Storage devices, and the Windows NT Server Hard drive must be acquired for the digital forensic investigation in this case. 9. Examination Once we have gathered all the available evidences, we need to conduct the examination by the help of various computer forensic investigation tools. We also examine the file system, Windows registry, Network and Database forensic examination, as follows: 9.1 Files System Examination NTFS is the New Technology File System and NTFS Disk is a file. MFT is the Master File Table which contains information about all files and disks, and it is also the first file in NTFS. The records in the MFT are also called metadata. Metadata is data about data (Nelson, B., et. al., 2008). Files can be stored in MFT in two ways: resident and non-resident. A file which is less than 512 bytes can be accommodated in MFT as resident files and a file which is more than 512 bytes can be stored outside the MFT as non-resident files. When a file is deleted in Windows NT, the file will be renamed by OS and moved it to Recycle bin with a unique identity. OS stores information about the original path and original file name in info2 file. But if a file is deleted from the Recycle bin, then associated clusters are marked as available for new data. NTFS is more efficient than FAT, as it is faster in reclaiming its deleted space. NTFS disks are a data stream, which means they can be appended into another existing file. A data stream file can be stored as follows: C:echo text_mess > file1.txt:file2.txt This file can be retrieved by the following command: C:more < file1.txt:file2.txt W2K.Stream and Win2K.Team are viruses which were developed by using a data stream, and they were developed with the intention of altering the original data stream. As an investigator, we must be aware of the Windows file systems FAT and NTFS in depth (Nelson, B., et. al., 2008). 9.2 Windows Registry Examination According to (Carvey, H., 2005) a registry can be treated as a log file because it contains data that can be retrieved by a forensic investigator the associate key values are called the “Lastwrite” time, which is stored as a FILETIME and considered to be the last modification time of a file. With files it is often difficult to get a precise date and time of file modification, but the Lastwrite shows when the registry was last modified. Fantastic will review some certain steps (Carvey, H.,
2005) which are listed below to analyze the windows registry of the organization to ensure the problem within and outside the organization are known and being solved to protect and maintain the company reputation. Windows registry is an order of databases in a computer used by Microsoft in Windows 98, Windows CE, Windows NT and Windows 2000 to store a user or user application and hardware devices configuration, which is used as a reference point during execution of a program or processes (Windows, 2013). The common structure of the windows registry is divided into “Hives” which are:  HKEY_CLASSES_ROOT: ensures that required programs are being executed.  HKEY_CURRENT_USER: contains general information of a user that is currently logged into the system.  HKEY_LOCAL_MACHINE: contains information about hardware, drives etc. of a system.  HKEY_USERS: contains all information of users on a particular system.  HKEY_CURRENT_CONFIG: stores information about the present configuration of the system. The Windows registry consists of volatile and non-volatile information. This means an investigator must at least be familiar with each meaning and functionality of the hives, keys, data and values of a Window registry before undergoing any forensic investigation of a computer to obtain a successful forensic investigation report. Autostart Location: is a location in the registry where the applications are set to be launched without a user initiation. With this functionality a malware that affects Luton SME can persistently run when the machine is turned on without a direct user interaction because it was already programed to autostart itself or when a user runs some specific commands or processes. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVe rsionImage File Execution Option is a Windows registry in which an attacker can use the key for redirection of an application original copy to its trojaned copy (Carvey, H., 2005). Luton SME might be under this attack: a redirect of the customer payment page to an illegitimate one. A forensics investigator can examine the autostart location to determine if the Luton SME problem results from an action performed by a user, a malware or by an attacker on the organization. According to (Carvey, H., 2005) the reliable way to access the autolocation is using AutoRuns tools from SysInternals.com which can provide listing of autostart locations. User Activity: action and activities of a user can be investigated in the HKEY_CUREENT_USER hive which is created from HKEY_USERSID hive. User information is mapped to the HKEY_CURRENT_USER. The NTUSER.DAT holds information about registry specification settings of a user. Examination of this hive will give a forensic investigator a good clue of activities and actions taken by a user.
Most Recent Used (MRU) List: MRU holds recent specific action taken by a user and keeps track of activities for future reference. For example, HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU maintains an executed list of commands run by a user. Each executed command in the run box will add a key value entry to the hive, as shown below: Figure3: Contents of the ExplorerRunMRU key. Source: Carvey, H., (2005) A forensic investigator can study this hive to source the lastwrite time of each command from the MRU list as shown above. With this, the SME Luton investigator will be able to analyze from the registry if it was user activity, a malware action or an attack that is affecting the organization. UserAssist: according to (Carvey, H., 2005) UserAssist which is found under the hives HKEY_CURRENT_USERSoftwareMcirosoftWindowsCurrentVersionExplorerUserAssist consists of two keys that commonly look like globally unique identifiers that keep encrypted records of each object, application, etc. a user has accessed on the system. If an investigator has accessed the encrypted record, which is no longer definitive, it might indicate some action the user did to trigger the Malware through an application or any activity he might have done. USB removable Storage: according to Farmer, College and Vermont (2008) all devices connected to the system are being maintained in a computer registry under the following key HKEY_LOCAL_MACHINESystemControlSet00xEnumUSBSTOR. The figure below shows an example of drive IDs of a USB thumb drive: Figure4: Example contents of USBSTOR key, showing device instance IDs.
Source: Carvey, H., (2005) Using the hives of the mounted drive, an investigator will have a clue when he/she analyzes the device ID content maintained in the registry to know which device was being mounted on the Luton SME organization. With persistent examination of each value key, an investigator can identify removable USB storage devices and map them to the parentidprefix. Wireless SSIDs: According to (Carvey, H., 2005) SSIDs of wireless networks used on a computer can be found under HKEY_LOCAL_MACHINESoftwaremicrosoftWZCSVCParametersInterface. When navigating to key values, they contain subkeys which look like globally unique identifiers, which when opened, an investigator can navigate to the ActiveSettings which reveals each wireless SSID in the form of a binary data type. When right-clicked to modify, it reveals the SSIDs in plain written format. Though IP address and other network information can be found under HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTCPIPInterfacesGUID, an investigator can use this information to tie a user in the Luton SME organization to a particular timeframe if the person’s IP address appears to be discovered under the above Window registry. Windows registry can also be a vital source of proof in a forensic investigation if the investigator knows where to get available data that can be well presentable to the Luton SME organization. Fantastic has tried to analyze some of the basic Windows registry that might have caused the redirection of its Web page, tracked user activity and all necessary programs a user had executed, devices used on the server or any of the organization’s computers, and also revealed the IP address of users. 9.3 Network Forensics Examination The acquiring, collecting and analyzing of the events that take place in the network is referred to as network forensics. Sometimes it’s also known as packet forensics or packet mining. The basic objective of network forensics is the same, which is to collect information about the packets in the network traffic such as the mails, the queries, the browsing of the web content, etc., and keep this information at one source and carry out further inspection (WildPackets, 2010). Network forensics can be applied in two main ways. The first one is security-related, where a network is monitored for suspicious traffic and any kind of intrusions. It is possible for the attacker to delete all the log files from an infected host, so in this situation the network-based evidence comes to play in the forensics analysis. The second application of network forensics is related to the law enforcement, where the network traffic that has been captured could be worked on to collecting the files that have been transferred through the network, keyword search and analysis of human communication which was done through e-mails or other similar sessions. (Hunt, 2012) 9.3.1 Tools and Techniques of Network Forensics
We can perform any operation with a forensically sound bootable DVD/CD-ROM, USB Flash drive or even a floppy disk. First, we need to dump the memory, and this is preferred to be done with a USB Flash drive with enough size. We must also undertake a risk assessment when we are about to collect volatile data to evaluate if it’s safe and relevant to collect such live data, which can be very useful in an investigation. We should use forensics toolkits throughout the process, as this will help meet the requirements of a forensics investigation. These tools should be trusted, and it can be acquired from among the freely distributed ones to the commercial ones. (7safe, 2013) Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:  Perform Volume Shadow Copy (VSC) analysis  Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems  Timeline Analysis & Windows Application Analysis  iPhone Forensics VIEW ADV FORENSICS Some very important and discreet information should be collected from a running machine, with the help of trusted tools such as:  Process listings.  Service listings.  System information.  Logged on and registered users.  Network connections.  Registry information.  Binary dump of memory. (7safe, 2013) There are many different kinds of network forensics tools, each with different functions. Some are just packet sniffers and others deal with identification, fingerprinting, location, mapping, email communications, web services, etc. The table below lists some of the open-source tools that can be used for network forensics and their functionalities. (Hunt, 2012) Tool Platform Web Site Attributes
TCPDumpWindump Unix & Windows www.tcpdump.org F NetStumbler Windows www.netstumbler.com F Wireshark Unix & Windows www.wireshark.org F Sleuth Kit Unix www.sleuthkit.org F R C Argus Unix www.qosient.com/argus F L SNORT Windows /Unix www.snort.org F F: Filter & collect; L: Log analysis; R: Reassembly of data stream; C: Correlation of data; A: Application Layer view Table 2: Network Forensic Tools Source: (Hunt, 2012) 9.4 Database Forensics Examination A database is a collection of data or information which is represented in the form of files or a collection of files. Retrieving the data from the database can be done with a set of queries. Database forensics can be defined as the application of computer investigation and the analysis techniques to gather the evidences from the database to present them in a court of law. A forensic investigation needs to be done on the databases, because a database has sensitive data where there is a high chance of a security breach by the intruders to get this personal information. In the case study it is mentioned that a large amount of data is being sent out of the database, so now the task of the Fantastic team is to perform a forensic investigation on the database with the help of forensic tools. Database forensics focuses on the identification, preservation and analysis of data. According to Khanuja, H.K., and Adane, D.S., (2011), to access the database the users need to get permissions like authorization and authentication from the database servers. Once the authorization is done, only the user can access the data and if intended he/she can alter the data. Now if we check the audit logs of the database, we can get a list of the users who got permissions to access the data. The team needs to look up in the database for the IP addresses which are remotely connected, because there are chances of altering the data by the authorized user or unauthorized user. According to Dave, P., (2013), with the help of the investigation we can retrace the operations of the DDL (Data Definition Language), which are used to define the database structure, and DML (Data Manipulation Language), which are used for managing the data within the database and can identify if there are any pre and post transactions happened in the database. This investigation can also help us to know if there are any data rows that are deleted by the user intentionally, and is able to recover them, and it also helps us to prove or disprove that a data security breach has occurred within the database, and it helps us in determining the scope of the intrusion of database. Windows forensic tool v1.0.03 is used with a customized configuration file which will execute DMV (Distributed Management Views) and DBCC (Database Consistency Checker) commands to gather the data which is sufficient to prove or disapprove the intrusion as stated earlier (Fowler, K., 2007).
10. Analysis Initially we need to analyze the evidences which we gathered and examined. We will look into the data to see whether any hidden files or unusual files are presented or not. Then if there is any unusual process running and if there are any sockets opened unusually. We will also look if any application requests occurred unusually. Then we will check the account, whether any unusual account is presented or not. We will also find the patching level system, whether it is been updated or not. By the outcome of those analyses, we will come to know whether any malicious activities are presented or not. Then we will develop a further strategy for the forensic investigation, such as complete analysis of memory, complete analysis of file systems, event correlation, and timeline analysis (Nelson, B., et. al., 2008). According to this case study, there are malicious activities present in their network system and it is also been confirmed by our initial analysis. In order to find the malicious code capabilities and its aim, we have to do the malware executable analysis. The malware executable analysis can be divided into Static Analysis and Behavioural Analysis. 11. Malware Analysis According to the report of the Verizon “2012 Data Breach Investigations Report”, 99% of the vulnerabilities have led to the data being compromised for a few days or less, while 85% took several weeks to investigate. This is a serious challenge for the security departments, as attackers get a lot of time to work in a compromised environment. More “free time” leads to more stolen data and more serious damage. This is mainly due to the fact that current security measures are not intended to deal with more complex threats (2012 Data Breach Investigations Report, Verizon, 2012). The point when performing a malware crime scene investigation: certain parts of a Windows PC are well on the way to hold data identifying with the malware installation and utilization. Legal examinations of the traded off frameworks incorporated an audit of record hash values, signature confuses, packed files, collision logs, System Restore points, and the pagefile. A worldly investigation of the File Systems and Event Logs may be directed to distinguish exercises around the time the malware was animated on the system. Advanced specialists additionally may as well review the Registry for unordinary entrances such as in Autostart areas, and adjustments around the time of the malware installation. Keyword hunts may be performed to discover references to malware and associations with other bargained hosts. Normal attack vectors are recognized, incorporating email attachments, Web browsing history, and unauthorized logons. According to Syngress “Malware Forensics – Investigating and Analyzing Malicious Code, 2003″ there should be done an investigation based on the following:  Search for Known Malware  Review Installed Programs  Examine Prefetch  Inspect Executables  Review Auto-start
 Review Scheduled Jobs  Examine Logs  Review User Accounts  Examine File System  Examine Registry  Restore Points  Keyword Searching Before starting the malware analysis, we need to create the malware analysis environment such as VMware and Norton Ghost. VMware is virtual based malware analysis environment and Norton Ghost is dedicated malware analysis environment. 11.1 Static Analysis Static analysis is the type of malware analysis which is used to conduct the analysis without running the malware programming. Static analysis is better than Dynamic analysis in terms of safe analysis. Since the malware program is not running, there is no fear of deleting or changing the files. It is always best to do the static malware analysis in a different operating system, where the malware is not designed to run or impact. Because an investigator can accidently double click the malware program to run, and it will affect the system. There are so many ways to do the static analysis such as File Fingerprinting, Virus Scanning, Packer Detection, Strings, Inside the FE File Format and Disassembly (Kendall, K., 2007). 11.2 Dynamic Analysis Dynamic Analysis is the type of malware analysis where malware code runs and observes its behaviour. It is also called Behaviour Malware Analysis. Dynamic Analysis is not safe to conduct unless we are ready to sacrifice the malware analysis environment. We can analyze the malware by simply monitoring the behaviour of the malware functions. There are many tools to conduct the dynamic malware analysis, but Process Monitor from SysInternals and Wireshark are the most used and freeware tools (Kendall, K., 2007). According to Kendall, K., (2007), in almost all malware cases, a simple static and dynamic malware analysis will find all the answers which will be required by the malware investigators for the particular malware code. 12. Findings After our investigation, we summarize our findings as follows:  Identified the attacker’s persistent remote access to the company’s computers.  The forensic analysis identified that the systems had been compromised.  OS patches were not installed in some systems.  Suspected malware was found in compromised system.
 Identification of that malware and its functionality & aim of malware led us conclude that it is ‘spamming’ malware.  Determined the attackers had access to the client’s systems using the malware by supplying in appropriate website link for payment gateway. 13. Remedial Actions There were considered above the most common ways of malicious software into the network. From the foregoing, it is possible to make two important conclusions:  Most of the described methods are somehow related to the human factor, therefore, training of employees and periodic training on security will enhance the network security;  Frequent cases of hacking legitimate sites lead to the fact that even a competent user can infect his computer. Therefore, we come to the fore classical measures of protection: antivirus software, the timely installation of last updates, and monitoring the Internet traffic. According to Shiner, D.L.D., and Cross, M., (2002), there are major countermeasures to protect against malware:  Authentication and password protection  Antivirus software  Firewalls (hardware or software)  DMZ (demilitarized zone)  IDS (Intrusion Detection System)  Packet filters  Routers and switches  Proxy servers  VPN (Virtual Private Networks)  Logging and audit  Access control time  Proprietary software/hardware is not available in the public domain In our case, the most useful are the following:  Firewall  Logging and Audit Firewall checks all Web pages entering to the user’s computer. Each Web page is intercepted and analyzed by the firewall for malicious code. If a Web page accessed by the user contains malicious code, access to it is blocked. At the same time, it displays a notification that the requested page is infected. If the Web page does not contain malicious code, it immediately becomes available to the user. By logging, we meant collecting and storing information about events that occur in the information system. For example, who and when tried to log on to the system and how this
attempt ended, who and what information resources were used, what and who modified information resources, and many others. Audit is an analysis of the accumulated data, conducted promptly, almost in real time (Shiner, D.L.D., and Cross, M., 2002). Implementation of logging and audit has the following main objectives:  Accountability of users and administrators;  Providing opportunities for reconstruction of events;  Detection attempts violations of information security;  Providing information to identify and analyze problems. 13.1 Security Policies The fullest criteria for evaluating organizational level security mechanisms are presented in the international standard ISO 17799: Code of Practice for Information Security Management, adopted in 2000. ISO 17799 is the international version of the British Standard BS 7799. ISO 17799 contains practical rules for information security management and can be used as criteria for assessing the organizational level security mechanisms, including administrative, procedural and physical security measures (ISO/IEC 17799:2005). Practical rules are divided into the following sections:  security policy;  organization of information security;  asset management;  human resources security;  physical and environmental security;  communications and operations management;  access control;  information systems acquisition, development and maintenance;  information security incident management;  business continuity management;  compliance. These sections describe the organizational level security mechanisms currently implemented in government and commercial organizations worldwide (ISO1799, 2005). Several questions arise after considering the above need for some combination of business requirements for the Internet. What software and hardware and organizational measures must be implemented to meet the needs of the organization? What is the risk? What should be the ethical standards for the organization to carry out their tasks with the help of the Internet? Who should be responsible for that? The basis of the answers to these questions is a conceptual security policy for the organization (Swanson, M., 2001).
The next section contains fragments of hypothetical security policies of safe work in the Internet. These fragments were designed based on the analysis of the major types of safety equipment. Security policies can be divided into two categories: technical policy implemented using hardware and software, and administrative policy, performed by the people using the system and the people running it (Swanson, M., 2001). Common Security Policy for an Organisation: 1. Any information system must have a security policy 2. The security policy must be approved by the management of the organization 3. The security policy should reach out to all employees in a simple and understandable form 4. The security policy should include:  definition of information security, its main objectives and its scope as well as its importance as a mechanism, which allows collectively use the information  the position of leadership on the purposes and principles of information security  identify general and specific responsibilities for providing information security  links to documents related to security policies, such as detailed safety guidelines or rules for users 1. The security policy must satisfy certain requirements:  correspond to national and international legislation  contain provisions for training personnel on security issues  include instructions of detection and prevention of malicious software  define the consequences of violations of the security policy  consider business continuity requirements 1. There must be defined a person who is responsible for the procedure of reviewing and updating the provisions of the security policy 2. Revision of the security policy must be carried out as a result of the following cases:  changes in the organizational infrastructure of the organization  changes in the technical infrastructure of the organization 1. Subject to regular review of security policy are the following characteristics:  the cost and impact of countermeasures on the organization’s performance(ISO/IEC 17799:2005) 14. Reporting A forensic report highlights the evidences in the court and it also helps for gathering more evidences and can be used in court hearings. The report must contain the investigation’s scope. A
computer forensic investigator must be aware of the type of computer forensic reporting such as formal report, written report, verbal report and examination plan. A formal report contains the facts from the investigation findings. A written report is like a declaration or an affidavit which can be sworn to under oath so that it must be clear, precise and detailed. A verbal report is less structured and is a preliminary report that addresses the areas of investigation not covered yet. An examination plan is a structured document that helps the investigator to understand the questions to be expected when he/she is justifying the evidences. An examination plan also helps the attorney to understand the terms and functions which were used in computer forensic investigation (Nelson, B., et al., 2008). Generally a computer forensic report contains the following functions:  Purpose of the Report  Author of the Report  Incident Summary  Evidence  Analysis  Conclusions  Supporting Documents There are many forensic tools to generate the forensic investigation report such as ProDiscover, FTK and EnCase (Nelson, B., et al., 2008). 15. Conclusions This report contains how to conduct the Computer Forensic Investigation and Malware Investigation in various methods and using various tools. This report also contains the ACPO’s four principal and IS017799 security policy procedures which must be implemented in every organization to improve the security network architecture. It also analysed the First Four Step Forensic Investigation model and why we chose this model to conduct the forensic investigation for this case. It also has important preparation steps before starting the investigation. Then this report has an analysis part where we analysed the data which we gathered by various methods to yield the findings. This report also has the recommendations to avoid the security breach in future. Digital forensic investigation is a challenging process, because every incident differs from other incidents. A computer forensic investigator must be competent enough in Technical and Legal to conduct the investigation. Since the evidence which is provided by a computer forensic investigator can be an important part the case, the investigation report must be precise and in detail
Deliverables Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following: • Malware investigation • Digital Forensic Investigation You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant. You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence. As a discussion contained within your report, you should also provide a critical evaluation of the existing tools and techniques that are used for digital forensics or malware investigations and evaluate their effectiveness, discussing such issues as consistency of the approaches adopted, the skills needed by the forensic investigators, and the problems related with existing methodologies (especially with respect to the absence of any single common global approach to performing such investigations and the problems that can result when there is a need to perform an investigation that crosses international boundaries). MALWARE INVESTIGATION When investigating an incident that involves malicious software, it helps to understand the context of the infection before starting to reverse the malware specimen. Some of the ways to accomplish this involves:  Examining the websites that may be associated with the incident, often because they are suspected in hosting exploits that acted as the infection vector  Obtaining reputational data about IP addresses of systems involved in the incident, often because they are suspected of hosting malicious files that were dropped on the system, or acting as the command and control server for the attacker  Looking up IP addresses associated with the infected organization in blocklists, to determine whether additional systems may have been performing malicious activities and may have gotten compromised  Performing automated behavioral analysis of malware involved in the incident, to get a general sense for its characteristics to plan subsequent manual reverse-engineering tasks

Recomendados

Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 

Recomendados

Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Lecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptLecture2 Introduction to Digital Forensics.ppt
Lecture2 Introduction to Digital Forensics.pptSurajgroupsvideo
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Rootkit
RootkitRootkit
Rootkittech2click
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
Hacking techniques
Hacking techniquesHacking techniques
Hacking techniquesgaurav koriya
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Rootkits
RootkitsRootkits
RootkitsTharinduUdaraRanasin
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 
Computer forencis
Computer forencisComputer forencis
Computer forencisTeja Bheemanapally
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
 

Más contenido relacionado

La actualidad más candente

CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Vishal Tandel
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceSam Bowne
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEric Vanderburg
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsZyxware Technologies
 

La actualidad más candente (20)

CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.Case study on Physical devices used in Computer forensics.
Case study on Physical devices used in Computer forensics.
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Rootkit
RootkitRootkit
Rootkit
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber Forensics
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Hacking techniques
Hacking techniquesHacking techniques
Hacking techniques
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
 
CNIT 121: 9 Network Evidence
CNIT 121: 9 Network EvidenceCNIT 121: 9 Network Evidence
CNIT 121: 9 Network Evidence
 
Software security
Software securitySoftware security
Software security
 
Malware forensics
Malware forensicsMalware forensics
Malware forensics
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Rootkits
RootkitsRootkits
Rootkits
 
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric VanderburgEthical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
An introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensicsAn introduction to cyber forensics and open source tools in cyber forensics
An introduction to cyber forensics and open source tools in cyber forensics
 

Similar a Malware analysis

A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesBRNSSPublicationHubI
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensicsJohnson Ubah
 
Proposed Effective Solution for Cybercrime Investigation in Myanmar
Proposed Effective Solution for Cybercrime Investigation in MyanmarProposed Effective Solution for Cybercrime Investigation in Myanmar
Proposed Effective Solution for Cybercrime Investigation in Myanmartheijes
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemsMayank Diwakar
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsSamantha Vargas
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemCSCJournals
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxdonnajames55
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public InvestigationsCTIN
 
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxThe Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxmehek4
 
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxThe Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxmattinsonjanel
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
Computer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital WorldComputer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital Worldrahulmonikasharma
 
Computer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaComputer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaMohammed Mahfouz Alhassan
 
A Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessA Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessEditor IJCATR
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer ForensicEditor IJCTER
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
 

Similar a Malware analysis (20)

Computer forencis
Computer forencisComputer forencis
Computer forencis
 
A Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic EvidencesA Review on Recovering and Examining Computer Forensic Evidences
A Review on Recovering and Examining Computer Forensic Evidences
 
Network and computer forensics
Network and computer forensicsNetwork and computer forensics
Network and computer forensics
 
Proposed Effective Solution for Cybercrime Investigation in Myanmar
Proposed Effective Solution for Cybercrime Investigation in MyanmarProposed Effective Solution for Cybercrime Investigation in Myanmar
Proposed Effective Solution for Cybercrime Investigation in Myanmar
 
Computer forensic
Computer forensicComputer forensic
Computer forensic
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
A Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis ToolsA Literature Review On Cyber Forensic And Its Analysis Tools
A Literature Review On Cyber Forensic And Its Analysis Tools
 
Design for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic SystemDesign for A Network Centric Enterprise Forensic System
Design for A Network Centric Enterprise Forensic System
 
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docxComputer ForensicsDiscussion 1Forensics Certifications Ple.docx
Computer ForensicsDiscussion 1Forensics Certifications Ple.docx
 
Corporate Public Investigations
Corporate Public InvestigationsCorporate Public Investigations
Corporate Public Investigations
 
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxThe Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
 
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docxThe Anti-Forensics Challenge Kamal Dahbur [email pro.docx
The Anti-Forensics Challenge Kamal Dahbur [email pro.docx
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
Computer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital WorldComputer Forensics-An Introduction of New Face to the Digital World
Computer Forensics-An Introduction of New Face to the Digital World
 
Computer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of GhanaComputer and Cyber forensics, a case study of Ghana
Computer and Cyber forensics, a case study of Ghana
 
2627 8105-1-pb
2627 8105-1-pb2627 8105-1-pb
2627 8105-1-pb
 
A Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation ProcessA Proactive Approach in Network Forensic Investigation Process
A Proactive Approach in Network Forensic Investigation Process
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 

Más de Anne ndolo

E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2Anne ndolo
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lessonAnne ndolo
 
E market places
E market placesE market places
E market placesAnne ndolo
 
E market places 5
E market places 5E market places 5
E market places 5Anne ndolo
 
E commerce technologies
E commerce technologiesE commerce technologies
E commerce technologiesAnne ndolo
 
E commerce technologies 3
E commerce technologies 3E commerce technologies 3
E commerce technologies 3Anne ndolo
 
E commerce security 4
E commerce security 4E commerce security 4
E commerce security 4Anne ndolo
 
E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2Anne ndolo
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_toAnne ndolo
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Big data security
Big data securityBig data security
Big data securityAnne ndolo
 
Big data security
Big data securityBig data security
Big data securityAnne ndolo
 

Más de Anne ndolo (14)

E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
E market places
E market placesE market places
E market places
 
E market places 5
E market places 5E market places 5
E market places 5
 
E commerce technologies
E commerce technologiesE commerce technologies
E commerce technologies
 
E commerce technologies 3
E commerce technologies 3E commerce technologies 3
E commerce technologies 3
 
E commerce security 4
E commerce security 4E commerce security 4
E commerce security 4
 
E commerce class 2
E commerce class 2E commerce class 2
E commerce class 2
 
Information governance a_necessity_in_to
Information governance a_necessity_in_toInformation governance a_necessity_in_to
Information governance a_necessity_in_to
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Big data security
Big data securityBig data security
Big data security
 
Big data security
Big data securityBig data security
Big data security
 
Introc
IntrocIntroc
Introc
 
Mom phd
Mom phdMom phd
Mom phd
 

Último

Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 

Último (20)

Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 

Malware analysis

  • 1. 1. Introduction Computer technology is the major integral part of everyday human life, and it is growing rapidly, as are computer crimes such as financial fraud, unauthorized intrusion, identity theft and intellectual theft. To counteract those computer-related crimes, Computer Forensics plays a very important role. “Computer Forensics involves obtaining and analyzing digital information for use as evidence in civil, criminal or administrative cases (Nelson, B., et al., 2008)”. A Computer Forensic Investigation generally investigates the data which could be taken from computer hard disks or any other storage devices with adherence to standard policies and procedures to determine if those devices have been compromised by unauthorized access or not. Computer Forensics Investigators work as a team to investigate the incident and conduct the forensic analysis by using various methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or Encase) to ensure the computer network system is secure in an organization. A successful Computer Forensic Investigator must be familiar with various laws and regulations related to computer crimes in their country (e.g. Computer Misuse Act 1990, the UK) and various computer operating systems (e.g. Windows, Linux) and network operating systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public Investigations and Private or Corporate Investigations are the two distinctive categories that fall under Computer Forensics Investigations. Public investigations will be conducted by government agencies, and private investigations will be conducted by private computer forensic team. This report will be focused on private investigations, since an incident occurred at a new start-up SME based in Luton. This report also includes a computer investigation model, data collections and its types, evidence acquisitions, forensics tools, malicious investigation, legal aspects of computer forensics, and finally this report also provides necessary recommendations, countermeasures and policies to ensure this SME will be placed in a secure network environment. 2. Case Study A new start-up SME (small-medium enterprise) based in Luton with an E-government model has recently begun to notice anomalies in its accounting and product records. It has undertaken an initial check of system log files, and there are a number of suspicious entries and IP addresses with a large amount of data being sent outside the company firewall. They have also recently received a number of customer complaints saying that there is often a strange message displayed during order processing, and they are often re-directed to a payment page that does not look legitimate. The company makes use of a general purpose eBusiness package (OSCommerce) and has a small team of six IT support professionals, but they do not feel that they have the expertise to carry out a full scale malware/forensic investigation. As there is increased competition in the hi-tech domain, the company is anxious to ensure that their systems are not being compromised, and they have employed a digital forensic investigator
  • 2. to determine whether any malicious activity has taken place, and to ensure that there is no malware within their systems. Your task is to investigate the team’s suspicions and to suggest to the team how they may be able to disinfect any machines affected with malware, and to ensure that no other machines in their premises or across the network have been infected. The team also wants you to carry out a digital forensics investigation to see whether you can trace the cause of the problems, and if necessary, to prepare a case against the perpetrators. The company uses Windows Server NT for its servers. Patches are applied by the IT support team on a monthly basis, but the team has noticed that a number of machines do not seem to have been patched. Deliverables Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following: • Malware investigation • Digital Forensic Investigation You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant. You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence. As a discussion contained within your report, you should also provide a critical evaluation of the existing tools and techniques that are used for digital forensics or malware investigations and evaluate their effectiveness, discussing such issues as consistency of the approaches adopted, the skills needed by the forensic investigators, and the problems related with existing methodologies (especially with respect to the absence of any single common global approach to performing such investigations and the problems that can result when there is a need to perform an investigation that crosses international boundaries). 3. Association of Chief Police Officers (ACPO) This forensic investigation will be conducted as per Association of Chief Police Officers (ACPO) guidelines and its four principles as well. There are four ACPO principles involved in computer-based electronic evidence. These principles must be followed when a person conducts the Computer Forensic Investigation. The summary of those principles are as follows (ACPO, 2013); Principle 1: Data stored in a computer or storage media must not be altered or changed, as those data may be later presented in the court.
  • 3. Principle 2: A person must be competent enough in handling the original data held on a computer or storage media if it is necessary, and he/she also shall be able to give the evidence explaining the relevance and course of their actions. Principle 3: An audit trail or other documentation of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: A person who is responsible for the investigation must have overall responsibility for accounting that the law and the ACPO principles are adhered to. Computer Investigation Model According to Kruse II, W.G., and Heiser, J.G. (2010), a computer investigation is to identify the evidences, preserve those evidences, extract them, document each and every process, and validate those evidences and to analyse them to find the root cause and by which to provide the recommendations or solutions. “Computer Forensics is a new field and there is less standardization and consistency across the courts and industry” (US-CERT, 2012). Each computer forensic model is focused on a particular area such as law enforcement or electronic evidence discovery. There is no single digital forensic investigation model that has been universally accepted. However, it was generally accepted that the digital forensic model framework must be flexible, so that it can support any type of incidents and new technologies (Adam, R., 2012). Kent, K., et.al, (2006) developed a basic digital forensic investigation model called the Four Step Forensics Process (FSFP) with the idea of Venter (2006) that digital forensics investigation can be conducted by even non-technical persons. This model gives more flexibility than any other model so that an organization can adopt the most suitable model based on the situations that occurred. These are the reasons we chose this model for this investigation. FSFP contains the following four basic processes, as shown in the figure: Figure 1: FSFP Forensic Investigation Model
  • 4. Source: Kent, K., et.al, (2006) The “Preserve and Document Evidence” arrow mark indicates that we must preserve and document the all evidences during the course of investigation, as this can be submitted to the court as evidences in some cases. We will discuss each and every process or stage of the FSFP investigation model in following sections. 5. Scope of Investigation The scopes of the forensic investigations for this case are as follows:  To identify the malicious activities with respect to 5Ws (Why, When, Where, What, Who).  To identify the security lapse in their network.  To find out the impact if the network system was compromised.  To identify the legal procedures, if needed.  To provide the remedial action in order to harden the system. 6. Legal Challenges of Investigation According to Nelson, B., et al., (2008), legal challenges before we start our forensic investigation are as follows:  Determining whether law enforcement assistance is needed, and if so then they may be available for assistance during the investigation, or else we have to submit the investigation report to them at the end of the investigation.  Obtaining written permission to conduct the forensic investigation, unless another incident response authorization procedure is present.  Discussing with the legal advisors to identify the potential issues which can be raised during the improper handling of the investigations.  Ensuring the clients’ confidential and privacy issues are accounted. 7. Initial Preparation It is obvious that before starting the investigation, we need to have a preparation in order to conduct the investigation efficiently. This is considered a proactive measure of investigation (Murray, 2012). The following steps need to be taken in the preparation stage:  Gathering all available information from the assessing the incident, such as severity of the incident.  Identifying the impact of the investigation on the SME business, such as network down time, duration of recovery from the incident, loss of revenue, and loss of confidential information.  Obtaining information of the networks, network devices such as router, switches, hub, etc., network topology documentation, computers, servers, firewall and network diagram.
  • 5.  Identifying the external storage devices such as pen drive, flash drive, external hard disk, CD, DVD, memory cards and remote computer.  Identifying the forensic tools which can be used in this investigation.  Capturing live network traffic in case the suspicious activities are still running with ‘netmon’ tools.  Documenting all the activities during the investigation which may be used in court to verify the course of action that was followed in the investigation.  Imaging the target devices’ hard drive and hashing them with MD5 for data integrity. 8. Collection “The collection phase is the first phase of this process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data” (CJCSM 6510.01B, 2012). There are two different types of data that can be collected in a computer forensics investigation. They are volatile data and non-volatile data (persistent data). Volatile data is data that exists when the system is on and erased when powered off, e.g. Random Access Memory (RAM), registry and caches. Non-volatile data is data that exists on a system when the power is on or off, e.g. documents in HD. Since volatile data is short-lived, a computer forensic investigator must know the best way to capture it. Evidence can be collected locally or remotely. 8.1 Volatile Data: The following figure shows how to capture the volatile data. The forensic workstation must be located in same LAN where the target machine, in this case the Windows NT Server, is located. ‘Cryptcat’ tools can be used in the forensic workstation to listen to the port of the Windows NT server. Create the trusted toolset optical drive in the Windows NT server and open the trusted console cmd.exe and use the following command: cryptcat <ip address> 6543 -k key To capture the data at the forensic workstation, we use the following command: cryptcat -l -p 6543 -k key >> <file name>
  • 6. Figure 2: Volatile data collection setup Source: Reino, A., (2012) Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:  Perform Volume Shadow Copy (VSC) analysis  Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems  Timeline Analysis & Windows Application Analysis  iPhone Forensics VIEW ADV FORENSICS The following table shows the Graphic User Interface tools, and their usage and outcome can be used in the computer forensic investigation. Table 1: Volatile Data Forensic Tools and their usage and outcome Source: Reino, A., (2012) We also use various Windows-based tools to capture the volatile data as follows: HBGray’s FastDump – Local Physical memory acquisition. HBGray’s F-Response – Remote physical memory acquisition
  • 7. ipconfig – Collecting subject system details. netusers and qusers – Identifying logged-in users doskey/history – Collecting command history netfile – Identifying the services and drivers Finally, collecting the clipboard content is also very important in a computer forensic investigation. More evidence can be found from a machine which is still running, so if the anomalies are still there in the SME, then we can retrieve a lot of important evidence from the running processes, network connection and the data that is stored in the memory. There is a lot of evidence when the machine is in the volatile state, and so it must be ensured that the affected computers are not shut down in order to collect such evidences. 8.2 Non-Volatile Data Once the volatile data have been captured, then we will look into the non-volatile data. The first step in non-volatile data collection is to copy the content of entire target system. This is also called “forensic imaging”. Imaging helps to preserve the original data as evidence without any malfunction or changes in data which occurs during the forensic investigation. Forensic imaging will be created by forensic tools such as EnCase, ProDiscover and FTK. A forensic investigator uses a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device by using any of those forensic tools. Hard drive cloning is nothing but to make a duplicate of the entire system. The difference between forensic imaging and hard drive cloning is that forensic imaging can’t be accessed without forensic tools, but hard drive cloning can easily be accessed with a mount drive. Hard drive cloning contains only a raw image, and every bit will be copied, and no other extra content will be added. Forensic imaging contains metadata ie., hashes and timestamps and it compresses all the empty blocks. Forensic imaging will hash with MD5 or SHA-2 to ensure the integrity of digital evidence (Nelson, B., et al., 2008). Data collection can be done in offline investigation and online investigation. Forensic imaging can be done with offline investigation. Live network traffic can be done with online investigation by using ethereal or Wireshark tools. Firewall logs, antivirus logs, and domain controller logs will be collected for the investigation under the non-volatile data collection. We will also collect the Web server logs, Windows event logs, database logs, IDS logs and application logs. Once we collect all the digital evidences, they must be documented in the chain of the custody log documentation. Chain of the custody log documentation is to maintain the integrity of the evidence from start to end of the investigation until this investigation report will be presented (Nelson, B., et al., 2008). Before carrying out any further processes, we need to image the disk bit by bit, which will access the entire volume and copy the original media, including the deleted files. After the disk is imaged, we should hash everything which will make sure that the data is authentic and the integrity of the data will be maintained throughout the investigation. The hash values must be
  • 8. recorded in multiple locations and we must ensure that we do not make any changes to the data from the time of collection of the data till the end of the investigation. Most tools help in achieving this by accessing the media in a read-only state (SANS, 2010). Target System Hard drives, External Storage devices, and the Windows NT Server Hard drive must be acquired for the digital forensic investigation in this case. 9. Examination Once we have gathered all the available evidences, we need to conduct the examination by the help of various computer forensic investigation tools. We also examine the file system, Windows registry, Network and Database forensic examination, as follows: 9.1 Files System Examination NTFS is the New Technology File System and NTFS Disk is a file. MFT is the Master File Table which contains information about all files and disks, and it is also the first file in NTFS. The records in the MFT are also called metadata. Metadata is data about data (Nelson, B., et. al., 2008). Files can be stored in MFT in two ways: resident and non-resident. A file which is less than 512 bytes can be accommodated in MFT as resident files and a file which is more than 512 bytes can be stored outside the MFT as non-resident files. When a file is deleted in Windows NT, the file will be renamed by OS and moved it to Recycle bin with a unique identity. OS stores information about the original path and original file name in info2 file. But if a file is deleted from the Recycle bin, then associated clusters are marked as available for new data. NTFS is more efficient than FAT, as it is faster in reclaiming its deleted space. NTFS disks are a data stream, which means they can be appended into another existing file. A data stream file can be stored as follows: C:echo text_mess > file1.txt:file2.txt This file can be retrieved by the following command: C:more < file1.txt:file2.txt W2K.Stream and Win2K.Team are viruses which were developed by using a data stream, and they were developed with the intention of altering the original data stream. As an investigator, we must be aware of the Windows file systems FAT and NTFS in depth (Nelson, B., et. al., 2008). 9.2 Windows Registry Examination According to (Carvey, H., 2005) a registry can be treated as a log file because it contains data that can be retrieved by a forensic investigator the associate key values are called the “Lastwrite” time, which is stored as a FILETIME and considered to be the last modification time of a file. With files it is often difficult to get a precise date and time of file modification, but the Lastwrite shows when the registry was last modified. Fantastic will review some certain steps (Carvey, H.,
  • 9. 2005) which are listed below to analyze the windows registry of the organization to ensure the problem within and outside the organization are known and being solved to protect and maintain the company reputation. Windows registry is an order of databases in a computer used by Microsoft in Windows 98, Windows CE, Windows NT and Windows 2000 to store a user or user application and hardware devices configuration, which is used as a reference point during execution of a program or processes (Windows, 2013). The common structure of the windows registry is divided into “Hives” which are:  HKEY_CLASSES_ROOT: ensures that required programs are being executed.  HKEY_CURRENT_USER: contains general information of a user that is currently logged into the system.  HKEY_LOCAL_MACHINE: contains information about hardware, drives etc. of a system.  HKEY_USERS: contains all information of users on a particular system.  HKEY_CURRENT_CONFIG: stores information about the present configuration of the system. The Windows registry consists of volatile and non-volatile information. This means an investigator must at least be familiar with each meaning and functionality of the hives, keys, data and values of a Window registry before undergoing any forensic investigation of a computer to obtain a successful forensic investigation report. Autostart Location: is a location in the registry where the applications are set to be launched without a user initiation. With this functionality a malware that affects Luton SME can persistently run when the machine is turned on without a direct user interaction because it was already programed to autostart itself or when a user runs some specific commands or processes. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVe rsionImage File Execution Option is a Windows registry in which an attacker can use the key for redirection of an application original copy to its trojaned copy (Carvey, H., 2005). Luton SME might be under this attack: a redirect of the customer payment page to an illegitimate one. A forensics investigator can examine the autostart location to determine if the Luton SME problem results from an action performed by a user, a malware or by an attacker on the organization. According to (Carvey, H., 2005) the reliable way to access the autolocation is using AutoRuns tools from SysInternals.com which can provide listing of autostart locations. User Activity: action and activities of a user can be investigated in the HKEY_CUREENT_USER hive which is created from HKEY_USERSID hive. User information is mapped to the HKEY_CURRENT_USER. The NTUSER.DAT holds information about registry specification settings of a user. Examination of this hive will give a forensic investigator a good clue of activities and actions taken by a user.
  • 10. Most Recent Used (MRU) List: MRU holds recent specific action taken by a user and keeps track of activities for future reference. For example, HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU maintains an executed list of commands run by a user. Each executed command in the run box will add a key value entry to the hive, as shown below: Figure3: Contents of the ExplorerRunMRU key. Source: Carvey, H., (2005) A forensic investigator can study this hive to source the lastwrite time of each command from the MRU list as shown above. With this, the SME Luton investigator will be able to analyze from the registry if it was user activity, a malware action or an attack that is affecting the organization. UserAssist: according to (Carvey, H., 2005) UserAssist which is found under the hives HKEY_CURRENT_USERSoftwareMcirosoftWindowsCurrentVersionExplorerUserAssist consists of two keys that commonly look like globally unique identifiers that keep encrypted records of each object, application, etc. a user has accessed on the system. If an investigator has accessed the encrypted record, which is no longer definitive, it might indicate some action the user did to trigger the Malware through an application or any activity he might have done. USB removable Storage: according to Farmer, College and Vermont (2008) all devices connected to the system are being maintained in a computer registry under the following key HKEY_LOCAL_MACHINESystemControlSet00xEnumUSBSTOR. The figure below shows an example of drive IDs of a USB thumb drive: Figure4: Example contents of USBSTOR key, showing device instance IDs.
  • 11. Source: Carvey, H., (2005) Using the hives of the mounted drive, an investigator will have a clue when he/she analyzes the device ID content maintained in the registry to know which device was being mounted on the Luton SME organization. With persistent examination of each value key, an investigator can identify removable USB storage devices and map them to the parentidprefix. Wireless SSIDs: According to (Carvey, H., 2005) SSIDs of wireless networks used on a computer can be found under HKEY_LOCAL_MACHINESoftwaremicrosoftWZCSVCParametersInterface. When navigating to key values, they contain subkeys which look like globally unique identifiers, which when opened, an investigator can navigate to the ActiveSettings which reveals each wireless SSID in the form of a binary data type. When right-clicked to modify, it reveals the SSIDs in plain written format. Though IP address and other network information can be found under HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTCPIPInterfacesGUID, an investigator can use this information to tie a user in the Luton SME organization to a particular timeframe if the person’s IP address appears to be discovered under the above Window registry. Windows registry can also be a vital source of proof in a forensic investigation if the investigator knows where to get available data that can be well presentable to the Luton SME organization. Fantastic has tried to analyze some of the basic Windows registry that might have caused the redirection of its Web page, tracked user activity and all necessary programs a user had executed, devices used on the server or any of the organization’s computers, and also revealed the IP address of users. 9.3 Network Forensics Examination The acquiring, collecting and analyzing of the events that take place in the network is referred to as network forensics. Sometimes it’s also known as packet forensics or packet mining. The basic objective of network forensics is the same, which is to collect information about the packets in the network traffic such as the mails, the queries, the browsing of the web content, etc., and keep this information at one source and carry out further inspection (WildPackets, 2010). Network forensics can be applied in two main ways. The first one is security-related, where a network is monitored for suspicious traffic and any kind of intrusions. It is possible for the attacker to delete all the log files from an infected host, so in this situation the network-based evidence comes to play in the forensics analysis. The second application of network forensics is related to the law enforcement, where the network traffic that has been captured could be worked on to collecting the files that have been transferred through the network, keyword search and analysis of human communication which was done through e-mails or other similar sessions. (Hunt, 2012) 9.3.1 Tools and Techniques of Network Forensics
  • 12. We can perform any operation with a forensically sound bootable DVD/CD-ROM, USB Flash drive or even a floppy disk. First, we need to dump the memory, and this is preferred to be done with a USB Flash drive with enough size. We must also undertake a risk assessment when we are about to collect volatile data to evaluate if it’s safe and relevant to collect such live data, which can be very useful in an investigation. We should use forensics toolkits throughout the process, as this will help meet the requirements of a forensics investigation. These tools should be trusted, and it can be acquired from among the freely distributed ones to the commercial ones. (7safe, 2013) Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:  Perform Volume Shadow Copy (VSC) analysis  Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems  Timeline Analysis & Windows Application Analysis  iPhone Forensics VIEW ADV FORENSICS Some very important and discreet information should be collected from a running machine, with the help of trusted tools such as:  Process listings.  Service listings.  System information.  Logged on and registered users.  Network connections.  Registry information.  Binary dump of memory. (7safe, 2013) There are many different kinds of network forensics tools, each with different functions. Some are just packet sniffers and others deal with identification, fingerprinting, location, mapping, email communications, web services, etc. The table below lists some of the open-source tools that can be used for network forensics and their functionalities. (Hunt, 2012) Tool Platform Web Site Attributes
  • 13. TCPDumpWindump Unix & Windows www.tcpdump.org F NetStumbler Windows www.netstumbler.com F Wireshark Unix & Windows www.wireshark.org F Sleuth Kit Unix www.sleuthkit.org F R C Argus Unix www.qosient.com/argus F L SNORT Windows /Unix www.snort.org F F: Filter & collect; L: Log analysis; R: Reassembly of data stream; C: Correlation of data; A: Application Layer view Table 2: Network Forensic Tools Source: (Hunt, 2012) 9.4 Database Forensics Examination A database is a collection of data or information which is represented in the form of files or a collection of files. Retrieving the data from the database can be done with a set of queries. Database forensics can be defined as the application of computer investigation and the analysis techniques to gather the evidences from the database to present them in a court of law. A forensic investigation needs to be done on the databases, because a database has sensitive data where there is a high chance of a security breach by the intruders to get this personal information. In the case study it is mentioned that a large amount of data is being sent out of the database, so now the task of the Fantastic team is to perform a forensic investigation on the database with the help of forensic tools. Database forensics focuses on the identification, preservation and analysis of data. According to Khanuja, H.K., and Adane, D.S., (2011), to access the database the users need to get permissions like authorization and authentication from the database servers. Once the authorization is done, only the user can access the data and if intended he/she can alter the data. Now if we check the audit logs of the database, we can get a list of the users who got permissions to access the data. The team needs to look up in the database for the IP addresses which are remotely connected, because there are chances of altering the data by the authorized user or unauthorized user. According to Dave, P., (2013), with the help of the investigation we can retrace the operations of the DDL (Data Definition Language), which are used to define the database structure, and DML (Data Manipulation Language), which are used for managing the data within the database and can identify if there are any pre and post transactions happened in the database. This investigation can also help us to know if there are any data rows that are deleted by the user intentionally, and is able to recover them, and it also helps us to prove or disprove that a data security breach has occurred within the database, and it helps us in determining the scope of the intrusion of database. Windows forensic tool v1.0.03 is used with a customized configuration file which will execute DMV (Distributed Management Views) and DBCC (Database Consistency Checker) commands to gather the data which is sufficient to prove or disapprove the intrusion as stated earlier (Fowler, K., 2007).
  • 14. 10. Analysis Initially we need to analyze the evidences which we gathered and examined. We will look into the data to see whether any hidden files or unusual files are presented or not. Then if there is any unusual process running and if there are any sockets opened unusually. We will also look if any application requests occurred unusually. Then we will check the account, whether any unusual account is presented or not. We will also find the patching level system, whether it is been updated or not. By the outcome of those analyses, we will come to know whether any malicious activities are presented or not. Then we will develop a further strategy for the forensic investigation, such as complete analysis of memory, complete analysis of file systems, event correlation, and timeline analysis (Nelson, B., et. al., 2008). According to this case study, there are malicious activities present in their network system and it is also been confirmed by our initial analysis. In order to find the malicious code capabilities and its aim, we have to do the malware executable analysis. The malware executable analysis can be divided into Static Analysis and Behavioural Analysis. 11. Malware Analysis According to the report of the Verizon “2012 Data Breach Investigations Report”, 99% of the vulnerabilities have led to the data being compromised for a few days or less, while 85% took several weeks to investigate. This is a serious challenge for the security departments, as attackers get a lot of time to work in a compromised environment. More “free time” leads to more stolen data and more serious damage. This is mainly due to the fact that current security measures are not intended to deal with more complex threats (2012 Data Breach Investigations Report, Verizon, 2012). The point when performing a malware crime scene investigation: certain parts of a Windows PC are well on the way to hold data identifying with the malware installation and utilization. Legal examinations of the traded off frameworks incorporated an audit of record hash values, signature confuses, packed files, collision logs, System Restore points, and the pagefile. A worldly investigation of the File Systems and Event Logs may be directed to distinguish exercises around the time the malware was animated on the system. Advanced specialists additionally may as well review the Registry for unordinary entrances such as in Autostart areas, and adjustments around the time of the malware installation. Keyword hunts may be performed to discover references to malware and associations with other bargained hosts. Normal attack vectors are recognized, incorporating email attachments, Web browsing history, and unauthorized logons. According to Syngress “Malware Forensics – Investigating and Analyzing Malicious Code, 2003″ there should be done an investigation based on the following:  Search for Known Malware  Review Installed Programs  Examine Prefetch  Inspect Executables  Review Auto-start
  • 15.  Review Scheduled Jobs  Examine Logs  Review User Accounts  Examine File System  Examine Registry  Restore Points  Keyword Searching Before starting the malware analysis, we need to create the malware analysis environment such as VMware and Norton Ghost. VMware is virtual based malware analysis environment and Norton Ghost is dedicated malware analysis environment. 11.1 Static Analysis Static analysis is the type of malware analysis which is used to conduct the analysis without running the malware programming. Static analysis is better than Dynamic analysis in terms of safe analysis. Since the malware program is not running, there is no fear of deleting or changing the files. It is always best to do the static malware analysis in a different operating system, where the malware is not designed to run or impact. Because an investigator can accidently double click the malware program to run, and it will affect the system. There are so many ways to do the static analysis such as File Fingerprinting, Virus Scanning, Packer Detection, Strings, Inside the FE File Format and Disassembly (Kendall, K., 2007). 11.2 Dynamic Analysis Dynamic Analysis is the type of malware analysis where malware code runs and observes its behaviour. It is also called Behaviour Malware Analysis. Dynamic Analysis is not safe to conduct unless we are ready to sacrifice the malware analysis environment. We can analyze the malware by simply monitoring the behaviour of the malware functions. There are many tools to conduct the dynamic malware analysis, but Process Monitor from SysInternals and Wireshark are the most used and freeware tools (Kendall, K., 2007). According to Kendall, K., (2007), in almost all malware cases, a simple static and dynamic malware analysis will find all the answers which will be required by the malware investigators for the particular malware code. 12. Findings After our investigation, we summarize our findings as follows:  Identified the attacker’s persistent remote access to the company’s computers.  The forensic analysis identified that the systems had been compromised.  OS patches were not installed in some systems.  Suspected malware was found in compromised system.
  • 16.  Identification of that malware and its functionality & aim of malware led us conclude that it is ‘spamming’ malware.  Determined the attackers had access to the client’s systems using the malware by supplying in appropriate website link for payment gateway. 13. Remedial Actions There were considered above the most common ways of malicious software into the network. From the foregoing, it is possible to make two important conclusions:  Most of the described methods are somehow related to the human factor, therefore, training of employees and periodic training on security will enhance the network security;  Frequent cases of hacking legitimate sites lead to the fact that even a competent user can infect his computer. Therefore, we come to the fore classical measures of protection: antivirus software, the timely installation of last updates, and monitoring the Internet traffic. According to Shiner, D.L.D., and Cross, M., (2002), there are major countermeasures to protect against malware:  Authentication and password protection  Antivirus software  Firewalls (hardware or software)  DMZ (demilitarized zone)  IDS (Intrusion Detection System)  Packet filters  Routers and switches  Proxy servers  VPN (Virtual Private Networks)  Logging and audit  Access control time  Proprietary software/hardware is not available in the public domain In our case, the most useful are the following:  Firewall  Logging and Audit Firewall checks all Web pages entering to the user’s computer. Each Web page is intercepted and analyzed by the firewall for malicious code. If a Web page accessed by the user contains malicious code, access to it is blocked. At the same time, it displays a notification that the requested page is infected. If the Web page does not contain malicious code, it immediately becomes available to the user. By logging, we meant collecting and storing information about events that occur in the information system. For example, who and when tried to log on to the system and how this
  • 17. attempt ended, who and what information resources were used, what and who modified information resources, and many others. Audit is an analysis of the accumulated data, conducted promptly, almost in real time (Shiner, D.L.D., and Cross, M., 2002). Implementation of logging and audit has the following main objectives:  Accountability of users and administrators;  Providing opportunities for reconstruction of events;  Detection attempts violations of information security;  Providing information to identify and analyze problems. 13.1 Security Policies The fullest criteria for evaluating organizational level security mechanisms are presented in the international standard ISO 17799: Code of Practice for Information Security Management, adopted in 2000. ISO 17799 is the international version of the British Standard BS 7799. ISO 17799 contains practical rules for information security management and can be used as criteria for assessing the organizational level security mechanisms, including administrative, procedural and physical security measures (ISO/IEC 17799:2005). Practical rules are divided into the following sections:  security policy;  organization of information security;  asset management;  human resources security;  physical and environmental security;  communications and operations management;  access control;  information systems acquisition, development and maintenance;  information security incident management;  business continuity management;  compliance. These sections describe the organizational level security mechanisms currently implemented in government and commercial organizations worldwide (ISO1799, 2005). Several questions arise after considering the above need for some combination of business requirements for the Internet. What software and hardware and organizational measures must be implemented to meet the needs of the organization? What is the risk? What should be the ethical standards for the organization to carry out their tasks with the help of the Internet? Who should be responsible for that? The basis of the answers to these questions is a conceptual security policy for the organization (Swanson, M., 2001).
  • 18. The next section contains fragments of hypothetical security policies of safe work in the Internet. These fragments were designed based on the analysis of the major types of safety equipment. Security policies can be divided into two categories: technical policy implemented using hardware and software, and administrative policy, performed by the people using the system and the people running it (Swanson, M., 2001). Common Security Policy for an Organisation: 1. Any information system must have a security policy 2. The security policy must be approved by the management of the organization 3. The security policy should reach out to all employees in a simple and understandable form 4. The security policy should include:  definition of information security, its main objectives and its scope as well as its importance as a mechanism, which allows collectively use the information  the position of leadership on the purposes and principles of information security  identify general and specific responsibilities for providing information security  links to documents related to security policies, such as detailed safety guidelines or rules for users 1. The security policy must satisfy certain requirements:  correspond to national and international legislation  contain provisions for training personnel on security issues  include instructions of detection and prevention of malicious software  define the consequences of violations of the security policy  consider business continuity requirements 1. There must be defined a person who is responsible for the procedure of reviewing and updating the provisions of the security policy 2. Revision of the security policy must be carried out as a result of the following cases:  changes in the organizational infrastructure of the organization  changes in the technical infrastructure of the organization 1. Subject to regular review of security policy are the following characteristics:  the cost and impact of countermeasures on the organization’s performance(ISO/IEC 17799:2005) 14. Reporting A forensic report highlights the evidences in the court and it also helps for gathering more evidences and can be used in court hearings. The report must contain the investigation’s scope. A
  • 19. computer forensic investigator must be aware of the type of computer forensic reporting such as formal report, written report, verbal report and examination plan. A formal report contains the facts from the investigation findings. A written report is like a declaration or an affidavit which can be sworn to under oath so that it must be clear, precise and detailed. A verbal report is less structured and is a preliminary report that addresses the areas of investigation not covered yet. An examination plan is a structured document that helps the investigator to understand the questions to be expected when he/she is justifying the evidences. An examination plan also helps the attorney to understand the terms and functions which were used in computer forensic investigation (Nelson, B., et al., 2008). Generally a computer forensic report contains the following functions:  Purpose of the Report  Author of the Report  Incident Summary  Evidence  Analysis  Conclusions  Supporting Documents There are many forensic tools to generate the forensic investigation report such as ProDiscover, FTK and EnCase (Nelson, B., et al., 2008). 15. Conclusions This report contains how to conduct the Computer Forensic Investigation and Malware Investigation in various methods and using various tools. This report also contains the ACPO’s four principal and IS017799 security policy procedures which must be implemented in every organization to improve the security network architecture. It also analysed the First Four Step Forensic Investigation model and why we chose this model to conduct the forensic investigation for this case. It also has important preparation steps before starting the investigation. Then this report has an analysis part where we analysed the data which we gathered by various methods to yield the findings. This report also has the recommendations to avoid the security breach in future. Digital forensic investigation is a challenging process, because every incident differs from other incidents. A computer forensic investigator must be competent enough in Technical and Legal to conduct the investigation. Since the evidence which is provided by a computer forensic investigator can be an important part the case, the investigation report must be precise and in detail
  • 20. Deliverables Your deliverable in this assignment is a 5,000 word report discussing how you would approach the following: • Malware investigation • Digital Forensic Investigation You should discuss a general overview of the methodology that you will use, and provide a reasoned argument as to why the particular methodology chosen is relevant. You should also discuss the process that you will use to collect evidence and discuss the relevant guidelines that need to be followed when collecting digital evidence. As a discussion contained within your report, you should also provide a critical evaluation of the existing tools and techniques that are used for digital forensics or malware investigations and evaluate their effectiveness, discussing such issues as consistency of the approaches adopted, the skills needed by the forensic investigators, and the problems related with existing methodologies (especially with respect to the absence of any single common global approach to performing such investigations and the problems that can result when there is a need to perform an investigation that crosses international boundaries). MALWARE INVESTIGATION When investigating an incident that involves malicious software, it helps to understand the context of the infection before starting to reverse the malware specimen. Some of the ways to accomplish this involves:  Examining the websites that may be associated with the incident, often because they are suspected in hosting exploits that acted as the infection vector  Obtaining reputational data about IP addresses of systems involved in the incident, often because they are suspected of hosting malicious files that were dropped on the system, or acting as the command and control server for the attacker  Looking up IP addresses associated with the infected organization in blocklists, to determine whether additional systems may have been performing malicious activities and may have gotten compromised  Performing automated behavioral analysis of malware involved in the incident, to get a general sense for its characteristics to plan subsequent manual reverse-engineering tasks