In the prior project, you used network forensics to write an incident report detailing how you captured, recorded, and analyzed events that occurred on a network. Based on this analysis, you determined that there has been a breach of the network.

Gathering this information is only the first step. Next, you must use the network forensic evidence you gathered to understand how the attack was conducted to better understand exactly what took place during the attack. There are several ways to identify the source of attacks. One of the challenges with network forensics is making sense of the data, which often comes from multiple sources, not to mention the fact that incidents of interest may occur at different times.

In this project, you will analyze suspicious software in a virtualized environment to determine whether the code is in fact malware.

The final report will summarize how you used your knowledge and skills in malware forensics to analyze the attack and determine what occurred and when. It will also offer recommendations on ways to improve the organization’s defense posture and response.

This project consists of five steps:

Steps 1 through 4 consist of analyzing the network intrusion for a possible malware attack. As you proceed, document your research and findings.

In Step 5, you will compile your analysis and findings to complete a comprehensive incident response report.

“I’m going to need you to dig further to figure out how the attacker breached the network.  I suspect that malware was involved, but I’ll need you to confirm this. Special Agent Jones imaged the compromised host disk and sent us a working copy of image files. You can start by analyzing those on the virtual machine. Then document your malware analysis and findings in an incident response report.”

As you learned in your exploration of digital forensic response and analysis, one way to analyze the data is by visual analysis, which allows assimilation of information from a variety of sources for inspection in ways that is possible only with this integration.

Often in visual analysis, computing power is used to to process raw data into graphics, which are meant to reveal patterns or relationships in the data when viewed by a human. This raw data can include logs and records that have different formats, as well as media files.

Filtering and linkage techniques, as well as the use of a timeline, can provide a more complete picture of a situation that may be difficult or impossible to conceptualize without visual analysis techniques. In determining next steps, you recall that effective analysis of data includes metrics based on pattern-matching algorithms. By comparison, other techniques like statistical analysis rely primarily on numerical measures derived from the data and incorporated into tree maps.

Graphics produced for visual analysis may rely on color, shape, size, location, and relationships to represent aspects of the underlying data. Visual analysis for data analytics should not be confused with visual analysis for artwork, which is the study of the formal elements and other aspects of a work of art.

Visual analysis is one technique used in digital forensics for analysis. For the current investigation, though, you first need to determine what you are dealing with. Is it malware?

After reviewing the network attack and the possible approach taken by the attacker, you suspect malware was used. Integrating reverse engineering techniques with malware analysis techniques can shed light on network vulnerabilities and how malware code executed. These malware analysis tools and environment are run on a live network, or, preferably, on captured network traffic, as in this particular incident.

In the previous step, you conducted an analysis of a network attack using EnCase with the compromised host disk image. Now, you will report on the results of the lab exercise and document following the Guidelines for Digital Forensics Examiner Reports, but this time, you will apply these guidelines using the UMGC Digital Evidence Forensic Report Template. See an example of this template in use. As you progress in your career, you will probably use many different templates; this is a chance to build that skill.

Your analysis in EnCase indicates that malware was indeed used in the attack. With this in mind, the next step is to determine the source of the malware. As a digital forensics investigator, you know that email is one of the most prevalent methods for transporting malware into and throughout a network infrastructure.

Special Agent Jones thinks he has tracked the malware down to a foreign national graduate student from Florida East-Central University. SA Jones indicated that he has probable cause to believe the software was being used for illegal purposes. He provided Yvonne with two files recovered from the student’s computer for analysis, and they are relying upon our knowledge and skills to identify specifically what the software does and how it works.

Analyze the malware field(s) in accordance with the instructions in the box below. Conduct a static analysis of the files. Report the procedures you used and the results. Identify potential civil or criminal problems created by the use of malware.

As you did with the first lab, after you’ve conducted your analysis, write up your findings by applying Guidelines for Digital Forensics Examiner Reports to the UMGC Digital Evidence Forensic Report Template. Keep in mind that your report should include screenshots and analysis of the malware file.

You have completed your lab investigations and collected the information you need. It is time to write the Final Incident Response Report for your organization’s leaders, network administrators, and security operations team.

When you are finished, submit your final incident response report to your organization’s security operations manager (your instructor) using the dropbox below.

The post In the prior project, you used network forensics to write an incident appeared first on PapersSpot.