Assignment Brief
Read this whole brief before starting; both the scenario and all tasks. Introduction You are working for a very small company, Chester Digital Forensic n’ Stuff(CDFnS), which advertises itself as providing Digital Forensics to organisations amongst other things. The company has just set up, and the director has employed you as its sole Cyber Security Specialist who has training across the field of cyber security.
CDFnS, being new, has no formal procedures yet laid out for anything. CDFnS has just been contracted by a company, Thornton Delivery Services(TDS), to provide them support in identifying a suspected data breach at TDS.
About Thornton Delivery Services (TDS) TDS is a national delivery company based at Thornton Science Park. They employ 50 staff including administration, drivers, and warehouse workers. Their system is reliant on IT systems. Their Business Systems comprise of the following:
•1 Windows Server 2019 server running:
oActive Directory
oRoles: DNS, DHCP, File Server
oDefault logging
oFinancial software for tracking and accounting
oAsset software for tracking parcels
•1 Debian 8 (Jessie) Linux Server for backup of files off the Windows Server
•20 in-house client computers which are used primarily by the administration staff, who underpin the day-to-day operations. These are a variety of different Operating Systems in use.
To date this comprises of the following deployment:
o15x Windows 10
o2x Windows 7
o3x macOS
Big Sur TDS Data Breach The Administrator occasionally looks at internal traffic stats for fun in the odd month he is not overworked, and this time, on looking at stats over the previous months, he had noticed something suspect:
The Administrator at TDS noticed that there had been a lot of traffic from the Windows Server 2019 firstly to one of the internal Windows 7 client machines, and then by the next day out directly from the Server to the Internet. When the data went to the Windows 7 client machine, and out from the Server, it went late in the evening. The Windows 7 client’s user was at home at both times.
The Administrator is not experienced in analysis of logs or in digital forensics.
Task 1: (30%) You need to act swiftly to preserve as much evidence as you need to uncover what is going on. TDS is notexpecting any downtime at the moment. Describe and critically analyse the approach you will take from a technical perspective to develop an understanding of what has happened. What will you request access to, and how will you use that data or information provided?
Consider multiple possibilities without coming to early conclusions. Establish some sort of process and express it possibly with the help of a diagram, flow chart, or other.
Identify any tools you may use, including built-in tools.
Remark upon the impact on the business of the approach(es) you decide to take.
CDFnS Makes Progress Following Task 1, you find out that: Some logs have been deleted on the Server (the security logs that are normally viewable in Event Viewer). Thousands of logon attempts were made from the Windows 7 client to the Windows Server before successfully getting access to the admin account.
These attempts were made from the client machine on the same evening that it was also downloading files from thefile server under the user’s account, with access to limited number of files. Some logs have been deleted on the Windows 7 client. Once the attacker had gained access to the Server admin account, he could access any files on the file server, and more confidential files were accessed. Neither the Windows 7client nor the Windows Server 2019have been rebooted since the event.
You propose to take a memory dump and copy of the hard disks for each machine. TDS would like to get to the bottom of this, and accepts, even if they have to take the server offline overnight (for not more than 12 hours). (Tasks 2 & 3, overleaf…)
Task 2:(40%)
Explain the benefit of taking memory and disk copies of bothmachines. For each, what can you expect to determine? For either the Windows 7 client or the Windows Server 2019:
Describe briefly the process of taking a memory copy and a disk copy, minimising impact.
For both memory and disk images, describe and critically analyse the approach you would take from a technical perspective to develop a further understanding of what has happened. Identify any tools you may use, and the use of those tools.
Consider the precaution taken and the reason for those cautions.
Task 3:(30%)
The TDS Administrator has had to deal with many staff opening phishing emails containing malware. E.g. Word Documents, PDF files, ZIP files. They would like to understand measures they can put in place to help prevent usersfrom infecting their computers.
The Administrator already knows about Anti-Virus solutions, but these have often not detected malware where it was actually present. From a high-level overview, propose a list of malware analysis tools that the Administrator could use to start to perform basic malware analysis.
You should compare and contrast these different tools and state if they are to be used for static or dynamic analysis. You can categorise these tools however you see fit. For example:
1.Debugger
2.Disassembler
3.Decompiler For each of these tools, you should demonstrate that you have actually used them in order to give a recommendation on these pros and cons.
Do this by including screenshots of you analysing some sample malware files youhave made or downloaded.
Finally, you should propose best practise recommendations, focusing on the risks of running malware and some of the preventative methods the Administrator should use when dealing with malware to avoid infecting themselves for real (eg. Malware escaping from a VM into the host machine).
