Note: You are required to develop an application (choose from part 1, 2, or 3below) and write a report on what code you used (libraries, how the functions work etc.) and then also you must document some use case examples to illustrate how the application works. You should do video record and screenshots to support your use cases.
Python language would be a better option to use
In each of the 3 options below, the fully working, fully implemented code is worth 35% and the report is worth 15%.
Option 1,
Malicious file detection tool (hashing) File identification and malicious code detection are important parts of an investigation. The idea of this application is to scan a file system and identify benign or malicious files.
In order to rule out the benign files, you should use a look up database, such as NIST NSRL. The remaining files should be uploaded to VirusTotal (VT) via the API and checked.
• Scanfilesystem() – function to walk through the file system and parse the files. All files should be hashed using a suitable hash (e.g., MD% or SHA).
• Queryhashedb() – this function will do a lookup of the hashes on a benign DB and if the hash is found, it is discarded from the list.
• Queryvt() – this function will query the remaining file hashes against the VT repository.
• Report() – this function will write a report to a file of the malicious files found on the system.
Option 2,
Windows User Activity Tracker
An important aspect of forensic analysis is to extract user activity data to determine their interaction with the system. The aim of this assignment is to produce a tracking application, that will look for user activity (e.g. in the file system, Registry and network) between two given timestamps. The application should produce a report file detailing the activity in a timeline format.
Some functions could be:
• menu(): take in the two timestamps from the user, ts1 and ts2. Also you could include the option of the directory/ directories to parse.
• filesystem(ts1,ts2): retrieve metadata from filesystem, including mac times and custom metadata from binaries (you can restrict this to text files, PDF’s and MS Office docs).
• Logon/ logoff times: Using the event log module
• registry(ts1,ts2): retrieve registry key activity.
• network(ts1,ts2): retrieve network activity (I suggest you create a pcap file of some traffic and parse it using dpkt.)
Option 3,
Vulnerability Scanner The aim of this assignment is to develop an application that can scan for and identify at least 3 Web application vulnerabilities from the OWASP top 10.
The tool should write the results to a text file in the form of a report.
The results should report on the type of vulnerability, where it was detected (page(s) on the application and possible remediation tactics).
