CMP020L020S Digital Forensics Coursework Portfolio 2 – Forensic Analysis of an Attack

Learning Outcomes of CMP020L020S: 

• LO2: Describe the legal, ethical and professional role of a digital forensic practitioner.
• LO3: Apply appropriate practices, tools, and techniques in the context of a given investigative scenario.
• LO4: Analyse and synthesise the outcomes of a digital forensic investigation as a report

CMP020L020S Academic Misconduct: 

“Academic integrity and honesty are fundamental to the academic work you produce at the University of Roehampton. You are expected to complete coursework which is your own and which is referenced appropriately. The university has in place measures to detect academic dishonesty in all its forms. If you are found to be cheating or attempting to gain an unfair advantage over other students in any way, this is considered academic misconduct, and you will be penalised accordingly.”

CMP020L020S Coursework Introduction:

This portfolio is designed to empower you to investigate Registry, memory and file system of an image and engage in hands-on investigation gaining practical experience with tools commonly employed in real-world scenarios. you are strongly advised to:

• READ THIS COURSEWORK DOCUMENT CAREFULLY!
• Fully understand the aims and objectives of this coursework. If you are unclear on any aspect of this assignment, please speak to your course instructor as soon as possible.

This portfolio contains 3 components, and your goal is to complete all components as required.

CMP020L020S SCENARIO:

You as a cyber security analyst have been alerted to suspicious activity on a Windows virtual machine (VM) within a corporate network. Upon investigation, it is discovered that suspect may have been involved in a security breach. The VM was allegedly used by an insider threat to distribute a suspicious software and potentially tampered with sensitive data from the company’s network. A member of the cyber security team has created a digital forensic image from the VM and you as an analyst must investigate the VM image, focusing on analysing the Windows registry and memory artifacts to identify evidence of a malicious software activity and assess the damage that may have been caused by the software.
Having received forensic images via a chain of custody process (Portfolio Evidence Case), you are required to use digital forensics tools such as FTK Imager, Autopsy and Volatility3 to analyse them, consider the predefined questions and document your investigation. However, you can choose tool of your choice to conduct your analysis.
Your investigative objectives are as follows:

1. Identify evidence of malicious activity within the Windows Registry and memory.
2. Analyse the relevant artifacts from the Windows Registry.
3. Analyse memory to identify running processes, loaded modules.
4. Assess the damage that can be caused by the software

Investigation process:

1. Initial Examination: Verify the integrity of the forensic image and memory of the virtual machine to ensure the integrity of the image.
2. The Windows Registry Analysis: Utilise appropriate tool to examine the Windows registry hives within the VM image.
3. Memory Analysis: Analyse memory dumps extracted from the VM using an appropriate tool such as Volatility tool.
4. Please remember that your investigation should follow the best practice guidelines (ACPO) and comply with any best practice requirements for the investigation of digital devices in the UK

CMP020L020S Submission:

Component 1: The Windows Registry Analysis (Maximum 50 marks)

To begin your investigation, utilise a suitable tool like Autopsy to analyse the Windows registry from the image `win10_Portfolio3-disk.vhd`. The following questions are designed to guide you through the investigation process. Review them to identify any suspicious files, describe your approach and methodology, and include supporting notes along with screenshots and/or digital forensic artifacts (e.g., pictures, text documents, files).

1. From which operating system (program name) was the forensic image (win10
Portfolio3-disk.vhd) acquired? What is the computer’s name? What is the source file
containing this information? What is the Path?
2. Who is the owner of this device?
3. What is the Timezone setting.
4. What is the Device ID for the win10_Portfolio3-disk.vhd?
5. Identify the information of network interface(s) with an IP address assigned by DHCP? What is DHCP IP Address?
6. How many user accounts are listed?
7. Who was the last user to login to the PC?
8. Identify what is the account name of the user who mostly uses the computer?
9. Identify when was the last recorded computer shutdown date/time?
10. Which user was logged into the device on 22nd March 2024.
11. Which account(s) were created on 22nd March 2024 and at what time?
12. Investigate user accounts and identify which accounts are administrator group members?
13. How many files are under AtomicRedTeam?
14. What is the Parent MFT Entry Number for the file "ART-attack.ps1"?
15. Open the UserSettings from HKLM\System\ControlSet001\Services\bam .
Which executables files did the BAM record for the user (RID 1001). What is the last
execution date and time?
16. When T1055.exe and T1036.003.exe was created?
17. How many .exe file was executed on 22nd March 2024?
18. How many .dll file was created on 22nd March 2024?
19. How many .bat file was created on 22nd March 2024?
20. Was Notepad opened on 22nd March 2024?
21. What is the name of the malicious file accessed on 22nd March 2024? by whom and at what time?
22. Is there evidence that the SYSMON program was executed on 22nd March 2024?
23. Is there evidence that the AdFind tool was installed and executed on 22nd March 2024?
24. How many times was the command prompt and PowerShell executed on 22nd March 2024?
25. Open C:\Windows\Prefetch
What size was recorded for AtomicService.exe?
26. Investigate C:\Windows\Prefetch path to produce a timeline of suspicious execution events for the following programs:

• POWERSHELL.exe
• cmd.exe
• NET.exe
• REG.exe
• SCHTASKS.exe
• SC.exe
• ATOMICSERVICE.EXE
• MAVINJECT.exe
• NOTEPAD.exe

27. Investigate the Student NTUSER\Software hive to identify path of the AtomicService.exe file that was added to the run keys?
28. Identify what is the name of the suspicious script in the StartUp folder?
29. Investigate HKLM\Software hive and identify which tasks were scheduled to start at Logon and Startup and how many times they were executed?

CMP020L020S Component 2: Memory Analysis (Maximum 35 marks)

For this part of your assessment, you are required to complete the following tasks and to analyse win10-Portfolio3-memory.raw using an appropriate tool such as Volatility to analyse the VM’s memory.

Task 1: Provide a timeline of Execution Events for the following events

• POWERSHELL.exe
• Sysmon Program
• NOTEPAD.exe
• ATOMICSERVICE.EXE

Task 2: Extract Atomaticservice Dump. Evaluate the strings to identify if there is any additional information.

Task 3: Identifying Process Owners and SIDs for the following:

• POWERSHELL.exe
• NOTEPAD.exe
• ATOMICSERVICE.EXE

CMP020L020S Component 3: Executive summary (Maximum 10 marks)

For this part of your assessment please provide an executive summary of the investigation carried out and rational for the approach taken and highlight other points of significant interest. You are also required to reflect on your investigation and comment on the learning experience and anything you would do differently if conducting the work again.