SlideShare a Scribd company logo

Digital forensics assignmentPart 1 Misleading file extensionCrimin

Download as DOCX, PDF
A
AlyciaGold776

Digital forensics assignmentPart 1 Misleading file extension Criminals often simply change the extensions of files to mislead computer forensics investigators. But the wrong file extension is difficult know exactly what the original file type was. To find out the true type of a file you could use a hex editor.  1. Download secret.jpg  1. Open it with the built in Windows Photos app.  What do you see? 1. Use Hex Workshop (or other hex editor) and try to find out the original file type. Part 2 Use Volatility to analyse memory dump 1. Download volatility at: https://www.volatilityfoundation.org 1. Download windows.raw from Canvas 1. Study an example of volatile memory analysis at: https://medium.com/@zemelusa/first-steps-to-volatile-memory-analysis-dcbd4d2d56a1 1. Learn about the memory dump: 0. From which OS is this dump made from, make a screenshot to support your answer. 0. Which process were running when the dump was made, make a screenshot. 0. What are the network connections, which connections are still open? Make screenshots to support your answer. 0. Go through the manual of volatility and try at least two options. The more options the better of course. Document your findings with the command/parameters you used and the outputs. Make screenshots to support your answer. Part 3 Data acquisition 1. Use dd, or dcfldd to aquire an image from a USB drive. Make a screenshot with the command you used and output results. 1. Use Foremost to recover some files that you delete. Make a screenshot with command you used and output results. 1. Use FTK to capture the memory of your PC. 1. Use Autopsy to analyse the images you captured in step 3. Write a short report on what information you can find. For privacy reasons, you may erase or hide some personal data when making screenshots. Threat analysis assignments Note 1 : if you will export files from the captures, you’d better practice in a virtual environment. There is a chance that your PC is infected by the malware! Note 2: You should report what you found and also more importantly how you found the answers. Explain your line of thought: why certain filters were used, why you looked into certain packet for certain information, how you got the information that you were looking for etc. Only providing answers/screenshots to the questions will be grades as insufficient! Part 1 You noticed that there is some bittorrent traffic in the network of your organization. Torrent traffic is not necessarily malicious, however, it often associated with sharing copyright-protected content. You would like to find out more information about the torrent content. Go to Canvas and download and open the packet capture traffic_analysis_1.pcap. Answer the following questions. Put your answers as well as how you find out the answers in a short report. 1. Find out the following information about the PC that generates torrent traffic: 0. IP address 0. MAC address 0. Windows user account 0. Windows version ...

Education
1 of 19
Digital forensics assignmentPart 1 Misleading file extension Criminals often simply change the extensions of files to mislead computer forensics investigators. But the wrong file extension is difficult know exactly what the original file type was. To find out the true type of a file you could use a hex editor. 1. Download secret.jpg 1. Open it with the built in Windows Photos app. What do you see? 1. Use Hex Workshop (or other hex editor) and try to find out the original file type. Part 2 Use Volatility to analyse memory dump 1. Download volatility at: https://www.volatilityfoundation.org 1. Download windows.raw from Canvas 1. Study an example of volatile memory analysis at: https://medium.com/@zemelusa/first-steps-to-volatile-memory- analysis-dcbd4d2d56a1 1. Learn about the memory dump: 0. From which OS is this dump made from, make a screenshot to support your answer. 0. Which process were running when the dump was made, make a screenshot. 0. What are the network connections, which connectio ns are still open? Make screenshots to support your answer. 0. Go through the manual of volatility and try at least two options. The more options the better of course. Document your findings with the command/parameters you used and the
outputs. Make screenshots to support your answer. Part 3 Data acquisition 1. Use dd, or dcfldd to aquire an image from a USB drive. Make a screenshot with the command you used and output results. 1. Use Foremost to recover some files that you delete. Make a screenshot with command you used and output results. 1. Use FTK to capture the memory of your PC. 1. Use Autopsy to analyse the images you captured in step 3. Write a short report on what information you can find. For privacy reasons, you may erase or hide some personal data when making screenshots. Threat analysis assignments Note 1 : if you will export files from the captures, you’d better practice in a virtual environment. There is a chance that your PC is infected by the malware! Note 2: You should report what you found and also more importantly how you found the answers. Explain your line of thought: why certain filters were used, why you looked into certain packet for certain information, how you got the information that you were looking for etc. Only providing answers/screenshots to the questions will be grades as insufficient! Part 1 You noticed that there is some bittorrent traffic in the network of your organization. Torrent traffic is not necessarily malicious, however, it often associated with sharing copyright- protected content. You would like to find out more information about the torrent content. Go to Canvas and download and open the packet capture traffic_analysis_1.pcap. Answer the following questions. Put your answers as well as how you find out the answers in a short report.
1. Find out the following information about the PC that generates torrent traffic: 0. IP address 0. MAC address 0. Windows user account 0. Windows version 1. At what time (in UTC) occurred the first torrent activity? 1. What torrent file was downloaded? 1. Can you find other torrent traffic? 1. What torrent file was shared by the torrent client? Which torrent client was used? (hint: check out info_hash value, convert URL encoded to Hexadecimal value, and then search google) Part 2 You are analyzing the alerts generated by the IDS system and noticed that an executable malware was sent as an image. Note: if the last digit of your student number is an odd number, take the following files: 1. traffic_analysis_2_odd.pcap 1. traffic_analysis_2_odd Alerts.jpg Note: if the last digit of your student number is an even number, take the following files: 1. traffic_analysis_2_even.pcap 1. traffic_analysis_2_even Alerts.jpg Answer the following questions. Put your answers as well as how you find out the answers in a short report.
1. How many clients do you see in this capture? Find out the information related to the clients, including their IP/MAC address and operating system. For windows clients, also find out their user accounts. 1. Which client is the victim? 1. How was the malware downloaded? 1. Export the malware and search the Internet to find out the name of the malware. Part 3 Note: if the last digit of your student number is an odd number, take the following task: 1. An attack has been captured in traffic_analysis_3odd.pcapng. It is your task to find out what the attack is. Observe the packets and find out the IP address of the victim and the attacker. Write a short report on how the attack has happened and which techniques were used. Note: if the last digit of your student number is an even number, take the following task: 1. One of the hosts in this capture traffic_analysis_3even.pcapng has been infected with malware. It is your task to find out the information about the victim and what had happened. Write a short report on your findings. Part 4 Look for a phishing/spam email from your mailbox. Download the header and make some analysis on: the sender, receiver, mail servers, SPF, DKIM, DMARC, etc. Discuss the evidence that you find out. Threat hunting using Mitre enterprise ATT&CKIntroduction Enterprise ATT&CK is a framework from Mitre intended to describe and communicate a threat quickly and briefly. ATT&CK describes the following tactics: (https://attack.mitre.org/tactics/enterprise/):
1. Reconnaissance 1. Resource development 1. Initial access 1. Execution 1. Persistence 1. Privilege escalation 1. Defense evasion 1. Credential access 1. Discovery 1. Lateral movement 1. Collection 1. Command and control 1. Exfiltration 1. Impact As the word tactic might suggest, not every tactic needs to be used by a threat. You will see that several tactics can be used together to achieve a certain goal. At ATT&CK there is a so- called navigator (https://mitre-attack.github.io/attack- navigator/) which displays available techniques and sub- techniques for each tactic. As with tactics, an attacker can use multiple techniques to achieve a specific goal. For example, initial access tactic can use both drive-by compromise and phishing. Each technique is actually an abstraction of a set of possible practices that an attacker can use. For more information about each technique, you can right-click on the technique in the navigator and choose “View technique”. Assignment At Canvas you can find a report that provides the technical analysis of attacks that are associated with Carbanak - a remote backdoor. Based on the information provided in this report, you will map the activities involved to the ATT&CK framework. You will also think about how the use of this technique can be detected
and mitigated in the future. In addition to the case provided to you, you may look up additional information about the incident yourself on the Internet if necessary. In that case, also provide the reference to the additional resources you used. Follow the following guidelines when filling the tables: 1. (sub) Technique: give the ID and the name of the technique or the sub-technique that you identified’ 1. Howis this (sub-) technique used: describe in your own words about how this technique is used. Do NOT copy the description from Mitre ATT&CK. 1. Where did you find the info?: Provide page/line number in the report, or references to other resources. 1. Your suggestion on mitigations/detection: You may be inspired by Mitre ATT&CK for possible mitigation and detection advices. However, describe in your own words about your suggestion in the context of this threat; and motivate your suggestion. Do not copy the description from Mitre ATT&CK. 1. If you cannot find any information about the techniques used in certain tactics (even after search on the Internet), then you may leave it empty and indicate “no information can be found”. 1. Reconnaissance Indicate in the table below about techniques that the adver sary used to gather information for future operations. (sub-) Technique How is this (sub-) technique used Where did you find the info? Your suggestion on mitigations
Your suggestion on detection 2. Resource development Indicate in the table below about techniques used to establish resources that the adversary can use to support operations. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
3. Initial access Indicate in the table below which techniques are used to gain initial access to systems. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
4. Execution Indicate in the table below the techniques that the adversary used to run malicious code. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
5. Persistence Indicate in the table below the techniques that the adversary used to maintain their foothold. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
6. Privilege Escalation Indicate in the table below the techniques that the adversary used to gain higher-level permissions. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
7. Defense Evasion Indicate in the table below the techniques that the adversary used to avoid being detected. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
8. Credential access Indicate in the table below the techniques that the adversary used to steal account names and passwords. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
9. Discovery Indicate in the table below the techniques that the adversary used to figure out the victim’s environment. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection 10. Lateral movement Indicate in the table below the techniques that the adversary used to move through the environment.
(sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection 11. Collection Indicate in the table below the techniques that the adversary used to gather data of interest to their goal. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report,
or references to other resources) Your suggestion on mitigations Your suggestion on detection 12. Command and Control Indicate in the table below the techniques that the adversary used to communicate with compromised systems to control them. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations
Your suggestion on detection 13. Exfiltration Indicate in the table below the techniques that the adversary used to steal data. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
14. Impact Indicate in the table below the techniques that the adversary used to manipulate, interrupt, or destroy the systems and data. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
Digital forensics assignmentPart 1 Misleading file extensionCrimin

Recommended

12-15 page paper with 5 slide PowerPoint on an current management .docx
12-15 page paper with 5 slide PowerPoint on an current management .docx12-15 page paper with 5 slide PowerPoint on an current management .docx
12-15 page paper with 5 slide PowerPoint on an current management .docxAlyciaGold776
 
12Working With FamiliesThe Case of Carol and JosephCa.docx
12Working With FamiliesThe Case of Carol and JosephCa.docx12Working With FamiliesThe Case of Carol and JosephCa.docx
12Working With FamiliesThe Case of Carol and JosephCa.docxAlyciaGold776
 
12 pages The papers must be typed (12 point font) in Times N.docx
12 pages The papers must be typed (12 point font) in Times N.docx12 pages The papers must be typed (12 point font) in Times N.docx
12 pages The papers must be typed (12 point font) in Times N.docxAlyciaGold776
 
12 new times roman 4-6  pages double spaced apply ONE of t.docx
12 new times roman 4-6  pages double spaced apply ONE of t.docx12 new times roman 4-6  pages double spaced apply ONE of t.docx
12 new times roman 4-6  pages double spaced apply ONE of t.docxAlyciaGold776
 
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docxAlyciaGold776
 
10–12 slides (not incl. title or ref slides) with speakers notes.docx
10–12 slides (not incl. title or ref slides) with speakers notes.docx10–12 slides (not incl. title or ref slides) with speakers notes.docx
10–12 slides (not incl. title or ref slides) with speakers notes.docxAlyciaGold776
 
11.1 - write a servlet that uses doGet to return a markup document t.docx
11.1 - write a servlet that uses doGet to return a markup document t.docx11.1 - write a servlet that uses doGet to return a markup document t.docx
11.1 - write a servlet that uses doGet to return a markup document t.docxAlyciaGold776
 
10–15 slides with 150–200 words in the notes page.Using all 3 .docx
10–15 slides with 150–200 words in the notes page.Using all 3 .docx10–15 slides with 150–200 words in the notes page.Using all 3 .docx
10–15 slides with 150–200 words in the notes page.Using all 3 .docxAlyciaGold776
 

Recommended

12-15 page paper with 5 slide PowerPoint on an current management .docx
12-15 page paper with 5 slide PowerPoint on an current management .docx12-15 page paper with 5 slide PowerPoint on an current management .docx
12-15 page paper with 5 slide PowerPoint on an current management .docxAlyciaGold776
 
12Working With FamiliesThe Case of Carol and JosephCa.docx
12Working With FamiliesThe Case of Carol and JosephCa.docx12Working With FamiliesThe Case of Carol and JosephCa.docx
12Working With FamiliesThe Case of Carol and JosephCa.docxAlyciaGold776
 
12 pages The papers must be typed (12 point font) in Times N.docx
12 pages The papers must be typed (12 point font) in Times N.docx12 pages The papers must be typed (12 point font) in Times N.docx
12 pages The papers must be typed (12 point font) in Times N.docxAlyciaGold776
 
12 new times roman 4-6  pages double spaced apply ONE of t.docx
12 new times roman 4-6  pages double spaced apply ONE of t.docx12 new times roman 4-6  pages double spaced apply ONE of t.docx
12 new times roman 4-6  pages double spaced apply ONE of t.docxAlyciaGold776
 
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx112016 @1000 a.m. 100 percent original 400-600 words with at leas.docx
112016 @1000 a.m. 100 percent original 400-600 words with at leas.docxAlyciaGold776
 
10–12 slides (not incl. title or ref slides) with speakers notes.docx
10–12 slides (not incl. title or ref slides) with speakers notes.docx10–12 slides (not incl. title or ref slides) with speakers notes.docx
10–12 slides (not incl. title or ref slides) with speakers notes.docxAlyciaGold776
 
11.1 - write a servlet that uses doGet to return a markup document t.docx
11.1 - write a servlet that uses doGet to return a markup document t.docx11.1 - write a servlet that uses doGet to return a markup document t.docx
11.1 - write a servlet that uses doGet to return a markup document t.docxAlyciaGold776
 
10–15 slides with 150–200 words in the notes page.Using all 3 .docx
10–15 slides with 150–200 words in the notes page.Using all 3 .docx10–15 slides with 150–200 words in the notes page.Using all 3 .docx
10–15 slides with 150–200 words in the notes page.Using all 3 .docxAlyciaGold776
 
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docxAlyciaGold776
 
12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docx12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docxAlyciaGold776
 
1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docx1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docxAlyciaGold776
 
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docxAlyciaGold776
 
1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docx1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docxAlyciaGold776
 
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docxAlyciaGold776
 
1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docx1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docxAlyciaGold776
 
100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docx100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docxAlyciaGold776
 
100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docx100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docxAlyciaGold776
 
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docxAlyciaGold776
 
100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docx100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docxAlyciaGold776
 
100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docx100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docxAlyciaGold776
 
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docxAlyciaGold776
 
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docxAlyciaGold776
 
100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docx100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docxAlyciaGold776
 
100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docx100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docxAlyciaGold776
 
10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docx10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docxAlyciaGold776
 
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docxAlyciaGold776
 
10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docx10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docxAlyciaGold776
 
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docxAlyciaGold776
 

More Related Content

More from AlyciaGold776

10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docxAlyciaGold776
 
12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docx12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docxAlyciaGold776
 
1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docx1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docxAlyciaGold776
 
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docxAlyciaGold776
 
1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docx1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docxAlyciaGold776
 
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docxAlyciaGold776
 
1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docx1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docxAlyciaGold776
 
100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docx100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docxAlyciaGold776
 
100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docx100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docxAlyciaGold776
 
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docxAlyciaGold776
 
100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docx100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docxAlyciaGold776
 
100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docx100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docxAlyciaGold776
 
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docxAlyciaGold776
 
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docxAlyciaGold776
 
100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docx100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docxAlyciaGold776
 
100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docx100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docxAlyciaGold776
 
10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docx10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docxAlyciaGold776
 
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docxAlyciaGold776
 
10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docx10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docxAlyciaGold776
 
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docxAlyciaGold776
 

More from AlyciaGold776 (20)

10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
10686_fm_ptg01_pi-xx.indd 4 121112 228 PMPart o.docx
 
12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docx12-20 slides needed for the business plan report provided.  (SEE ATT.docx
12-20 slides needed for the business plan report provided.  (SEE ATT.docx
 
1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docx1000+ word essay MLA styleTopic Judging others is human nature..docx
1000+ word essay MLA styleTopic Judging others is human nature..docx
 
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
1000 - 1500 words in APA format. Draft Final PlanYou work for a p.docx
 
1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docx1000 words an 5 referencesResource Blossoms Up! Case Study .docx
1000 words an 5 referencesResource Blossoms Up! Case Study .docx
 
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
1000+ word essay MLA styleTopic While Abraham Lincoln and John .docx
 
1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docx1000 words and dont use the InternetFrom the book answer the qu.docx
1000 words and dont use the InternetFrom the book answer the qu.docx
 
100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docx100 original 0 plagiarism, with introduction and conclusion.I.docx
100 original 0 plagiarism, with introduction and conclusion.I.docx
 
100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docx100 Original Work.Graduate Level Writing Required.DUE .docx
100 Original Work.Graduate Level Writing Required.DUE .docx
 
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
10-1 Discussion Typical vs. Atypical DevelopmentThroughout this c.docx
 
100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docx100 words only 1 APA REFERENCEThe traditional approach for ide.docx
100 words only 1 APA REFERENCEThe traditional approach for ide.docx
 
100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docx100 Words minimumDiscussion TopicWhat is the difference betwe.docx
100 Words minimumDiscussion TopicWhat is the difference betwe.docx
 
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
10-5 Short Paper Neuropsychiatric DisordersChoose a specific neur.docx
 
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
10 Slide PowerPoint Presentation.  Place your assignment in the Co.docx
 
100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docx100 to 200 words answers........What is a stakeholder Why is th.docx
100 to 200 words answers........What is a stakeholder Why is th.docx
 
100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docx100 Word countList referenceDespite the offer of incentive.docx
100 Word countList referenceDespite the offer of incentive.docx
 
10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docx10. Sund Corporation bases its budgets on the activity measure cu.docx
10. Sund Corporation bases its budgets on the activity measure cu.docx
 
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
10-4 Short Paper Culture-Changing Initiatives.   Describe how to as.docx
 
10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docx10 science questions According to Dyball & Newell, when Alex use.docx
10 science questions According to Dyball & Newell, when Alex use.docx
 
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
10 page paper 2000 words due in 2 days and has 4 stages10 page pap.docx
 

Digital forensics assignmentPart 1 Misleading file extensionCrimin

  • 1. Digital forensics assignmentPart 1 Misleading file extension Criminals often simply change the extensions of files to mislead computer forensics investigators. But the wrong file extension is difficult know exactly what the original file type was. To find out the true type of a file you could use a hex editor. 1. Download secret.jpg 1. Open it with the built in Windows Photos app. What do you see? 1. Use Hex Workshop (or other hex editor) and try to find out the original file type. Part 2 Use Volatility to analyse memory dump 1. Download volatility at: https://www.volatilityfoundation.org 1. Download windows.raw from Canvas 1. Study an example of volatile memory analysis at: https://medium.com/@zemelusa/first-steps-to-volatile-memory- analysis-dcbd4d2d56a1 1. Learn about the memory dump: 0. From which OS is this dump made from, make a screenshot to support your answer. 0. Which process were running when the dump was made, make a screenshot. 0. What are the network connections, which connectio ns are still open? Make screenshots to support your answer. 0. Go through the manual of volatility and try at least two options. The more options the better of course. Document your findings with the command/parameters you used and the
  • 2. outputs. Make screenshots to support your answer. Part 3 Data acquisition 1. Use dd, or dcfldd to aquire an image from a USB drive. Make a screenshot with the command you used and output results. 1. Use Foremost to recover some files that you delete. Make a screenshot with command you used and output results. 1. Use FTK to capture the memory of your PC. 1. Use Autopsy to analyse the images you captured in step 3. Write a short report on what information you can find. For privacy reasons, you may erase or hide some personal data when making screenshots. Threat analysis assignments Note 1 : if you will export files from the captures, you’d better practice in a virtual environment. There is a chance that your PC is infected by the malware! Note 2: You should report what you found and also more importantly how you found the answers. Explain your line of thought: why certain filters were used, why you looked into certain packet for certain information, how you got the information that you were looking for etc. Only providing answers/screenshots to the questions will be grades as insufficient! Part 1 You noticed that there is some bittorrent traffic in the network of your organization. Torrent traffic is not necessarily malicious, however, it often associated with sharing copyright- protected content. You would like to find out more information about the torrent content. Go to Canvas and download and open the packet capture traffic_analysis_1.pcap. Answer the following questions. Put your answers as well as how you find out the answers in a short report.
  • 3. 1. Find out the following information about the PC that generates torrent traffic: 0. IP address 0. MAC address 0. Windows user account 0. Windows version 1. At what time (in UTC) occurred the first torrent activity? 1. What torrent file was downloaded? 1. Can you find other torrent traffic? 1. What torrent file was shared by the torrent client? Which torrent client was used? (hint: check out info_hash value, convert URL encoded to Hexadecimal value, and then search google) Part 2 You are analyzing the alerts generated by the IDS system and noticed that an executable malware was sent as an image. Note: if the last digit of your student number is an odd number, take the following files: 1. traffic_analysis_2_odd.pcap 1. traffic_analysis_2_odd Alerts.jpg Note: if the last digit of your student number is an even number, take the following files: 1. traffic_analysis_2_even.pcap 1. traffic_analysis_2_even Alerts.jpg Answer the following questions. Put your answers as well as how you find out the answers in a short report.
  • 4. 1. How many clients do you see in this capture? Find out the information related to the clients, including their IP/MAC address and operating system. For windows clients, also find out their user accounts. 1. Which client is the victim? 1. How was the malware downloaded? 1. Export the malware and search the Internet to find out the name of the malware. Part 3 Note: if the last digit of your student number is an odd number, take the following task: 1. An attack has been captured in traffic_analysis_3odd.pcapng. It is your task to find out what the attack is. Observe the packets and find out the IP address of the victim and the attacker. Write a short report on how the attack has happened and which techniques were used. Note: if the last digit of your student number is an even number, take the following task: 1. One of the hosts in this capture traffic_analysis_3even.pcapng has been infected with malware. It is your task to find out the information about the victim and what had happened. Write a short report on your findings. Part 4 Look for a phishing/spam email from your mailbox. Download the header and make some analysis on: the sender, receiver, mail servers, SPF, DKIM, DMARC, etc. Discuss the evidence that you find out. Threat hunting using Mitre enterprise ATT&CKIntroduction Enterprise ATT&CK is a framework from Mitre intended to describe and communicate a threat quickly and briefly. ATT&CK describes the following tactics: (https://attack.mitre.org/tactics/enterprise/):
  • 5. 1. Reconnaissance 1. Resource development 1. Initial access 1. Execution 1. Persistence 1. Privilege escalation 1. Defense evasion 1. Credential access 1. Discovery 1. Lateral movement 1. Collection 1. Command and control 1. Exfiltration 1. Impact As the word tactic might suggest, not every tactic needs to be used by a threat. You will see that several tactics can be used together to achieve a certain goal. At ATT&CK there is a so- called navigator (https://mitre-attack.github.io/attack- navigator/) which displays available techniques and sub- techniques for each tactic. As with tactics, an attacker can use multiple techniques to achieve a specific goal. For example, initial access tactic can use both drive-by compromise and phishing. Each technique is actually an abstraction of a set of possible practices that an attacker can use. For more information about each technique, you can right-click on the technique in the navigator and choose “View technique”. Assignment At Canvas you can find a report that provides the technical analysis of attacks that are associated with Carbanak - a remote backdoor. Based on the information provided in this report, you will map the activities involved to the ATT&CK framework. You will also think about how the use of this technique can be detected
  • 6. and mitigated in the future. In addition to the case provided to you, you may look up additional information about the incident yourself on the Internet if necessary. In that case, also provide the reference to the additional resources you used. Follow the following guidelines when filling the tables: 1. (sub) Technique: give the ID and the name of the technique or the sub-technique that you identified’ 1. Howis this (sub-) technique used: describe in your own words about how this technique is used. Do NOT copy the description from Mitre ATT&CK. 1. Where did you find the info?: Provide page/line number in the report, or references to other resources. 1. Your suggestion on mitigations/detection: You may be inspired by Mitre ATT&CK for possible mitigation and detection advices. However, describe in your own words about your suggestion in the context of this threat; and motivate your suggestion. Do not copy the description from Mitre ATT&CK. 1. If you cannot find any information about the techniques used in certain tactics (even after search on the Internet), then you may leave it empty and indicate “no information can be found”. 1. Reconnaissance Indicate in the table below about techniques that the adver sary used to gather information for future operations. (sub-) Technique How is this (sub-) technique used Where did you find the info? Your suggestion on mitigations
  • 7. Your suggestion on detection 2. Resource development Indicate in the table below about techniques used to establish resources that the adversary can use to support operations. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 8. 3. Initial access Indicate in the table below which techniques are used to gain initial access to systems. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 9. 4. Execution Indicate in the table below the techniques that the adversary used to run malicious code. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 10. 5. Persistence Indicate in the table below the techniques that the adversary used to maintain their foothold. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 11. 6. Privilege Escalation Indicate in the table below the techniques that the adversary used to gain higher-level permissions. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 12. 7. Defense Evasion Indicate in the table below the techniques that the adversary used to avoid being detected. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 13. 8. Credential access Indicate in the table below the techniques that the adversary used to steal account names and passwords. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 14. 9. Discovery Indicate in the table below the techniques that the adversary used to figure out the victim’s environment. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection 10. Lateral movement Indicate in the table below the techniques that the adversary used to move through the environment.
  • 15. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection 11. Collection Indicate in the table below the techniques that the adversary used to gather data of interest to their goal. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report,
  • 16. or references to other resources) Your suggestion on mitigations Your suggestion on detection 12. Command and Control Indicate in the table below the techniques that the adversary used to communicate with compromised systems to control them. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations
  • 17. Your suggestion on detection 13. Exfiltration Indicate in the table below the techniques that the adversary used to steal data. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection
  • 18. 14. Impact Indicate in the table below the techniques that the adversary used to manipulate, interrupt, or destroy the systems and data. (sub-) Technique How is this (sub-) technique used Where did you find the info? (page/line number in the report, or references to other resources) Your suggestion on mitigations Your suggestion on detection