School of Engineering and Technology

Department of Computer Science and Engineering

Name : GURUPREETH NJ

USN : 20BBTIT005

Course Code : 4BCS742

Course Name : Digital Forensics

Subject : Assignment – I
Case Study 1: Corporate Data Breach Investigation Background:
A multinational corporation specializing in financial services has experienced a significant data
breach. The breach has led to the exposure of sensitive customer information, including
financial records, personal identification data, and transaction histories. The corporation
suspects that the breach was perpetrated by an insider with access to the company's network.

Assignment Questions:
Initial Assessment:
1. steps would you take initially to assess the scope and severity of the data breach?

• Identify the nature of the data compromised (financial records, personal identification
data, transaction histories).
• Determine the extent of the breach (number of records compromised, duration of
unauthorized access).
• Evaluate the potential impact on affected individuals, the organization's reputation, and
regulatory compliance.

2. How would you prioritize your investigative efforts?

• Focus on containing the breach and preventing further unauthorized access.

• Prioritize the preservation of critical evidence, such as system logs, network traffic data,
and compromised files.
• Allocate resources based on the criticality of affected systems and the sensitivity of
compromised data.

Evidence Collection:

1. Outline the process of collecting digital evidence from various sources within the
corporate network.

• Identify relevant sources of digital evidence, including servers, workstations, network

devices, and cloud storage.
• Use forensic tools to acquire forensic images of affected systems without altering
original data.
• Document the chain of custody for all collected evidence to maintain its integrity for
legal purposes.

2. What challenges might you encounter during evidence collection, and how would you
address them?

• Potential challenges may include encrypted data, volatile memory, and remote or cloud-
based systems.
• Mitigate challenges by leveraging specialized forensic tools capable of handling
encryption, acquiring volatile memory, and accessing remote/cloud-based data with
proper authorization.
Forensic Analysis:

1. Describe the forensic analysis techniques you would employ to examine the collected
evidence.

• Employ techniques such as file carving, memory analysis, timeline analysis, and
keyword searches to examine digital evidence.
• Use forensic software tools like EnCase, FTK, and Autopsy to analyze acquired images
and extract relevant information.

2. What indicators of compromise (IOCs) or digital footprints would you look for
during the analysis?

• Look for suspicious file access patterns, unauthorized login attempts, anomalous
network connections, and unusual system modifications.
• Identify IOCs such as malware signatures, command-and-control communications, and
unauthorized user accounts.

Timeline Reconstruction:

1. Discuss the importance of timeline reconstruction in this investigation.

• Helps understand the sequence of events leading to the breach, aiding in identifying the
initial intrusion vector and lateral movement.
• Facilitates attribution of actions to specific individuals or entities, supporting legal and
disciplinary actions.

2. How would you establish a timeline of events leading up to and following the data
breach?

• Analyze system logs, network traffic, and timestamps on files to create a chronological
sequence of events.
• Correlate findings with user activity records, access logs, and security alerts to validate
the timeline.

Suspect Identification:

1. Based on the evidence gathered, how would you identify potential suspects within the
organization?

• Review access logs and authentication records to identify users with privileged access
during the breach period.
• Consider employee interviews and behavioural analysis to identify individuals
exhibiting suspicious activities or motivations.

2. What factors would you consider in narrowing down the list of suspects?

• Focus on individuals with access to sensitive data and systems relevant to the breach.
• Assess motive, opportunity, and access privileges of potential suspects to narrow down
the list.
Legal Considerations:

1. What legal and ethical considerations should be taken into account throughout the
investigation?

• Adhere to data protection laws, privacy regulations, and industry compliance standards.
• Respect individuals' privacy rights and maintain confidentiality of sensitive
information.
• Ensure compliance with chain of custody procedures to preserve the admissibility of
digital evidence in legal proceedings.

2. How would you ensure that the collection and handling of digital evidence adhere to
legal standards?

• Involve legal counsel to ensure investigative actions comply with relevant laws and
regulations.
• Document all investigative procedures and evidence handling processes to
demonstrate adherence to legal standards.

Recommendations and Mitigation:

1. Based on your findings, what recommendations would you provide to the corporation
to mitigate the risk of future breaches?

• Implement robust access controls and privileged account management.

• Enhance network monitoring and anomaly detection capabilities.
• Conduct regular security awareness training for employees to mitigate insider threats.
• Enhance incident response procedures and conduct regular security assessments.

2. How can the organization improve its cybersecurity posture and insider threat
detection mechanisms?

• Deploy endpoint detection and response (EDR) solutions to detect and respond to
insider threats.
• Implement data loss prevention (DLP) solutions to monitor and protect sensitive data.
• Establish a culture of security awareness and promote reporting of suspicious activities
or policy violations.

Conclusion:

1. Summarize your key findings from the investigation.

• Identification of insider involvement in the data breach.

• Analysis of breach impact on affected individuals and organizational security posture.
• Recommendations for mitigating future breaches and improving cybersecurity
defences.
2. Reflect on any lessons learned and areas for improvement in future digital forensic
investigations.

• Importance of proactive monitoring and timely incident response.

• Need for robust access controls and employee awareness training.
• Continuous improvement of forensic analysis techniques and legal compliance
measures.
Case Study 2: Cyber Extortion Incident Investigation Background:
A mid-sized e-commerce company has fallen victim to a cyber extortion scheme. The
perpetrators have infiltrated the company's network, encrypted critical data, and demanded a
ransom payment in exchange for the decryption keys. The company's operations have been
severely disrupted, leading to financial losses and reputational damage.

Assignment Questions:
Initial Response:
1. What immediate steps should the company take upon discovering the cyber extortion
incident?

• Isolate affected systems to prevent further spread of the ransomware.

• Notify relevant stakeholders including IT staff, management, and legal counsel.
• Document the incident including observed symptoms, initial analysis, and any
communication received from the attackers.
• Implement incident response protocols to coordinate the investigation and response
efforts.

2. How would you ensure the preservation of evidence while responding to the incident?
• Create forensic copies of affected systems using write-blocking tools to ensure evidence
integrity.
• Document the chain of custody for all evidence collected.
• Disable any automated cleanup processes to preserve volatile data.
• Take screenshots and record system logs before making any changes.

Ransomware Analysis:

1. Conduct a forensic analysis of the ransomware used in the attack.

• Extract ransomware samples from affected systems for analysis.

• Analyze ransom notes, file extensions, and encryption methods used by the
ransomware.
• Reverse engineer the ransomware to understand its behaviour and capabilities.

2. What techniques would you employ to identify the ransomware variant and its
characteristics?

• Compare ransomware artifacts with known databases and repositories to identify the
variant.
• Utilize online resources and forums where researchers share information about new
ransomware strains.
• Employ sandboxing and malware analysis tools to study the ransomware's execution
behaviour.
Communication Tracing:

1. Investigate the communication channels used by the attackers to demand the ransom.

• Review network logs, firewall logs, and DNS logs to identify communication with
external servers.
• Analyze email headers and server logs for any phishing emails or malicious
attachments.
• Monitor communication channels specified by the attackers for further instructions.

2. How would you trace the origin of the communication and gather evidence for
attribution?

• Utilize IP geolocation tools to trace the origin of the communication.

• Gather evidence such as IP addresses, timestamps, and communication protocols for
attribution.
• Coordinate with law enforcement or cybersecurity agencies for assistance in tracing
the attackers.

Payment Analysis:

1. Analyze the cryptocurrency transactions associated with the ransom payment.

• Obtain transaction IDs and wallet addresses associated with the ransom payment.
• Analyze blockchain explorers and cryptocurrency exchanges to track the flow of funds.
• Utilize blockchain analysis tools to identify any patterns or connections with known
criminal activities.

2. What methods can be used to trace and track cryptocurrency transactions for
investigative purposes?

• Use clustering algorithms to group related transactions and identify money laundering
techniques.
• Follow the money trail by analyzing transactions on the blockchain and identifying
cash-out points.
• Collaborate with cryptocurrency experts or forensic accountants to trace and track
cryptocurrency transactions effectively.

System Compromise Assessment:

1. Assess the extent of system compromise within the company's network.

• Conduct a comprehensive scan of the company's network to identify all compromised

systems.
• Analyze system logs, registry entries, and memory dumps for indicators of
compromise (IOCs).
• Identify lateral movement and persistence mechanisms used by the attackers.
2. What forensic artifacts and indicators of compromise (IOCs) would you look for during
the assessment?

• Look for ransomware-related artifacts such as ransom notes, encrypted files, and file
system changes.
• Search for suspicious processes, registry modifications, and network connections
indicative of compromise.
• Identify common IOCs such as file hashes, IP addresses, and domain names associated
with the ransomware operation.

Incident Timeline Reconstruction:

1. Reconstruct the timeline of events leading up to the cyber extortion incident.

• Compile timestamps from system logs, network traffic, and communication records to
create a chronological timeline.
• Interview employees and review security camera footage to verify key events.
• Use timeline analysis tools to visualize the sequence of events and identify any
discrepancies or gaps.

2. How would you correlate various activities and events to create a coherent timeline?
• Correlate events across multiple data sources to establish causal relationships and
identify the initial attack vector.
• Cross-reference timestamps to determine the sequence of compromise, data
exfiltration, and ransom demand.
• Validate the timeline with corroborating evidence and adjust as new information
emerges.

Third-Party Involvement:

1. Determine if any third-party vendors or service providers were involved or

compromised during the incident.
• Assess third-party vendors and service providers with access to the company's network.
• Investigate any potential compromise or involvement of external parties in the incident.

2. What procedures should be followed to coordinate with external parties for

investigative purposes?
• Notify relevant third parties of the incident and request assistance in their own
investigations.
• Coordinate with external cybersecurity firms or legal counsel to conduct joint
investigations.
• Share relevant information and findings while maintaining confidentiality and adhering
to legal obligations.
Mitigation Strategies:

1. Propose mitigation strategies to prevent future cyber extortion incidents.

• Implement robust cybersecurity controls including regular software patching, network
segmentation, and endpoint protection.
• Enhance employee training programs to raise awareness of phishing attacks and social
engineering tactics.
• Deploy proactive monitoring and detection systems to identify suspicious activities and
potential threats.

2. How can the company improve its cybersecurity defences and incident response
capabilities?

• Develop incident response playbooks and conduct regular tabletop exercises to test
response capabilities.
• Establish a cyber threat intelligence program to stay informed about emerging threats
and vulnerabilities.
• Engage in industry collaboration and information sharing initiatives to benefit from
collective defence measures.

Legal Implications:

1. Discuss the legal implications of paying the ransom and handling cryptocurrency
transactions in response to cyber extortion.

• Assess the legality and ethical considerations of paying the ransom, considering
potential sanctions and regulatory implications.
• Consult legal counsel to evaluate the risks and consequences of making payments to
cybercriminals.

2. What legal frameworks and regulations should be considered in conducting the

investigation?

• Ensure compliance with anti-money laundering (AML) and know your customer
(KYC) regulations when dealing with cryptocurrency transactions.
• Work with law enforcement agencies and financial regulators to report suspicious
transactions and collaborate on investigative efforts.

Lessons Learned:

1. Reflect on the key lessons learned from this incident.

• Understand the importance of proactive cybersecurity measures in mitigating the risk

of cyber extortion incidents.
• Recognize the need for effective incident response protocols and coordination with
internal and external stakeholders.
• Acknowledge the evolving nature of cyber threats and the importance of continuous
monitoring and adaptation.
2. How can the company enhance its cybersecurity resilience based on these lessons?

• Invest in cybersecurity awareness training and employee education programs to foster

a culture of security awareness.
• Conduct regular security assessments and penetration testing to identify and address
vulnerabilities proactively.
• Foster collaboration and information sharing within the industry to stay ahead of
emerging threats and enhance collective defence capabilities.