Purpose
In this assignment, you will examine a volatile memory dump to investig
Purpose
In this assignment, you will examine a volatile memory dump to investigate a potential malware case. Your analysis will primarily be done with Volatility Workbench, but you may also use other utilities to look at the disk from other perspectives. In Autopsy, the evidence can be imported as an Unallocated Space image to run intake scripts. Be sure to make a note of all applications and methods you use in your examination.
Instructions
You’ll need to use the following resources to complete the assignment:
Investigation 04 Sample Evidence*
Volatility Workbench*
(Optional) Download and use the report template (See the Investigation and Forensics Challenge module for the templates)
(Optional) StringsLinks to an external site.
(Optional) Autopsy the open-source forensic suite* (or another suite, such as EnCase or FTK.)
*Accessed via the Virtual Lab.
After reading the Investigation 4 Scenario, open your forensic tool and import the sample evidence into the case. Begin a forensic report to document your examination.
Scenario
This scenario takes place circa 2010.
Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything. However, recently they have had unusual activity in their bank account.
Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found.
Questions
What specific indicators in the memory image indicate possible malicious activity?
Is there any evidence of malware execution or persistence mechanisms in the memory image?
Is there any evidence of privilege escalation or unauthorized access to the memory image?
Is there any evidence of memory-resident malware or rootkits that could avoid traditional detection methods?
Was there any sensitive information, such as credentials or financial data, has been accessed or altered within the memory image?
Are there any unusual processes or applications running in the virtual machine’s memory during the suspected infection?
Does the sender have any other unusual activities?
What were the processes that were running on the employees computer?
Format
You can submit your forensic report in Adobe PDF format. It should be a complete report. A template has been provided if you need help, but be aware that not all sections shown in the template will be relevant to this investigation:
Upload one file (PDF).
Your forensic report should include a cover page and a page dedicated to answering the accompanying questions at the end.
You may include screenshots or other evidence to support your conclusions, but a screenshot is not a shortcut to a complete report.
Grading and Submission
In brief, I’ll be evaluating you on the following:
Forensic Reporting
The report is complete and contains only the truth.
Examination Process
Your examination is fully documented and uses accepted practices.
Identifying Evidence
While you are not expected to find every relevant evidence item, you should discover enough to adequately support the conclusions in your report.
Leave a Reply