The Scenario-based questions cover the following Learning Outcomes:
2. Apply data recovery techniques to forensic investigation in the network and mobile environments.
4. Apply forensic methodology to digital corporate and crime investigation in an ethical and professional context and employ appropriate technically writing skills in its report presentation.
You’re an analyst at a Singapore manufacturing corporation named WoW Pvt. Ltd. On Wednesday 2015-08-05, you saw some alerts while working at the corporation’s Security Operations Center Department.
While investigation, your team contacts one of the suspected employee, who is not aware of the suspicious files found on his desktop.
The Network administrator helps to retrieve a pcap of traffic for the timeframe of the alerts and the HTTPS traffic logs for that IP address. Another analyst searches the company’s mail servers and retrieves four malicious emails that might be related.
You now have
Network.pcap – a pcap of the traffic,
HTTPS traffic logs,
a collection of artifacts from that HTTPS traffic, and
malicious emails the suspected employee received during that timeframe.
The scope of DF’s investigation covers :
Analyze the Network.pcap (packet capture) files that were captured by the network administrator at WoW Pvt. Ltd.
Conduct an interview with the alleged employee and general manager of WoW Pvt. Ltd. Take statements from both parties.
Conduct digital investigation into the alleged employee’s mobile device (corporate-issued) and corporate computing device (workstation).
Technically evaluate the corporate email server logs in lieu of the footprints of the alleged employee’s computing and mobile devices.
Figure out how the computer became infected and document your findings. Your report should include:
List down the name of protocols used in the given pcap.
List the required protocols to be analyzed for the given case.
The IP Address of the computer where you found the alerts??
Who used this computer?
The infected computer’s hostname.
The infected computer’s MAC address.
The infected computer’s operating system.
The date, time, subject line, and sender of the malicious email that caused the infection.
Information on any malware associated with the infection.
Domains and IP addresses of any related traffic.
A timeline of events leading to the infection.
How you did the Malware Analysis
DRADFA Forensics is not investigating any other devices nor interviewing other parties aside from those mentioned.
Mr. Lim is the WoW’s general manager (GM). He is the client of DRADFA Forensics with you as the assigned forensic investigator.
Analyze the digital evidence and recommend if the alleged employee had any role in Malware found on the company’s mail server.
Figure out how the computer became infected and document your findings.
Research, critically analyze, and purposely propose the following for your approach to the forensics investigation:
Planning consideration and procedures to adopt for investigation
Technical Tools (hardware, software) to use for acquisition and analysis
Technical recommendations for analysis and considerations
Procedures & Guidelines for interviews and considerations
Considerations for documentation (forms, templates) and reporting