Forensic Report
Introduction
A forensic report is an important part of the forensic investigation; it aims to tell a story that anyone can understand, regardless of technical background. Information in an investigation can be extremely technical and difficult to articulate. Therefore, telling a story in a report is like writing an article or a book. It needs to be clear and concise when connecting all the pieces of forensic evidence together.
Skills
The purpose of this assignment is to help you practice the following skills that are essential to your success in this course:
Ability to convey the steps and process of investigative methodology used in digital forensics (CLR 1)
Ability to explain the responsibilities of a Canadian security professional working in a digital forensics environment (CLR 6)
Task
You have just landed your first digital forensic job.
Your role is to assist the Technological Crime Unit in reducing their backlog of cases. Upper management has suggested that instead of examining each system in full, the backlog can be reduced through timeline analysis. A senior investigator has created a timeline for you to examine, as well as other extractions.
Your task is to review the contents and write a proper forensic report detailing the following sections:
Executive Section
Technical Findings:
When was the system compromised?
How was it compromised?
Who compromised the system (attacking IP address)?
What did they do?
Did they access folders/files?
Did they use specific tools?
Did they run programs/scripts?
Conclusion
Use resources and material already presented to you throughout the weeks to build a Forensic Report template that would be used as a layout to address the above questions. This assignment is not meant to evaluate your abilities to analyze and comprehend the outputs, but to evaluate your reporting skills; the analysis will come later.
Case Scenario
Company: Abby’s Baking Company (ABC), Inc
On October 13th, an employee of ABC, Inc noticed that they could not access their program of shared documents, so they called their onsite IT support for assistance.
Upon inspection, the IT analyst found ransom notes in various shared folders and servers. They had also noted that most servers had been encrypted, and administrative passwords were changed.
Immediately seeing the ransom notes, the IT personnel disconnected all devices from the network.
The company contacted an incident response firm who then began to collect forensic evidence from multiple systems:
Primary Domain Controller (DC) ABC-DC1
Secondary DC ABC-DC2
Data server ABC-DATA
Dealer & Distributor Management System DDMS2
Remote Desktop Server RDS
The incident response team conducted forensic analysis of the systems, and confirmed the characteristics that followed an attack pattern consistent with the PYSA Ransomware Variant, information found here:
https://attack.mitre.org/software/S0583/
The analysis of the systems identified the Threat Actor compromising several accounts and performing lateral movements via RDP (Remote Desktop Protocol), PowerShell script execution, and accessing data.
