Ryan_Gillard_ITDI_372_Unit2

docx

School

American InterContinental University *

*We aren’t endorsed by this school

Course

372

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

7

Uploaded by ryangillard155

Report
Running head: DIGITAL FORENSICS REPORT 1 Digital Forensics Report Ryan Gillard American Intercontinental University ITDI 372 2103B-01: Introduction to Cyber Crime and Digital Investigations Professor Dvorak, Perry 3 August 2021
Digital Forensics Report 2 Section 1.0: Initial Identification The threat was identified on 4/08/2021; 8:34 AM; ET. Section 2.0: Impacted Personnel Mrs. Elly Makena, Network Administrator, 555-854-2365 Mr. Tom Keen, Network Engineer, 557-452-9687 Mr. Soli Kahaa, Cybersecurity technician, 875-152-7412 Miss Stephanie Mumbus, Incident response team leader, 741-859-4258 Section 3.0: Incident Detection Specifics The systems were taking a lot longer to boot up than usual. Since the servers were already running, the host devices did not need so much boot time. However, this morning, some of the host devices took over five minutes to boot up. The systems were particularly slow, and the servers were overworking. The CPU usage of the servers was remarkably higher than average, with no extra programs running. This incident prompted the network admin to call the cybersecurity expert to assess the problem. The network's bandwidth that usually accommodates the whole company's data traffic could not handle the data transmissions correctly. The routers showed a rise in the traffic levels of data in the organization's network. There was also the emergence of suspicious popups in the systems. The default applications for tasks in the host computers were different.
Digital Forensics Report 3 The intrusion detection systems, intrusion prevention system, the host-based IDS, and the network IDS were checked and discovered to be off. This approach was implemented because any intrusion should have been noted and generated a notification for the admin to see. It was also noticed that the antivirus software in the host devices was turned off. The system logs were then accessed to show the creation of an administrator account by the name ROOT. The logs show the consecutive execution of tasks and programs that served to cripple the system from within through this account. Section 4: Threat identification Several methods were implemented to identify the threat. The first method in use was the STRIDE methodology. It implements elimination methods to narrow down the list of potential threats. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, and Privilege Escalation. In spoofing, any users or programs masqueraded as another legitimate user to access the system resources were evaluated. From the data collected, the host-based intrusion detection systems and antivirus software were turned off. Spoofing presents a considerable possibility of gaining access to the system and the privilege of turning off the antivirus. Tampering refers to the alteration of the system code or components. Since the system settings were changed, this evaluation established that the host devices and the network had tampering capabilities. Therefore, the methods that can facilitate this were investigated. In the repudiation section, the system log files were retrieved and examined. This process confirmed the existence of the first two security threats. However, the presence of the log files helped to show that the non-repudiation capabilities of the system were still intact.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Digital Forensics Report 4 When an evaluation about information disclosure was conducted, there was evidence of access credentials that were leaked. However, the extent of data disclosed to the attackers at the time could not be determined. This level of evaluation would need to e redone at the network level. The traffic flowing in and out of the network was determined before concluding whether data was disclosed. The next step in the evaluation was to check for denial of service. This approach would help the team know if the functionalities of the servers were compromised by overloading them with requests. The host endpoint devices took very long to slow, thus hindering access to the system and network resources. This evaluation showed an extent of denial of service to the system serves and the network. Privilege escalation is used to check whether the attack gave the attackers the ability, the authentication credentials, and the authorization to tamper with data at an administrative level or at least any level that authorization is required. It was noted that admin rights are necessary to turn off the host devices' network intrusion prevention systems and antivirus software. This test clearly showed that this threat of privilege escalation was exploited to manipulate the system. After the STRIDE test was complete, the evaluation concluded that the system had been infected by malware making its way through the network. Malware is a malicious program or software designed to gain access to a system or a network. Malware can be passively present whereby no data is altered, but the attacker can intercept and read the data. Since malware is a program, it can initiate a sequence of attacks through a host device.
Digital Forensics Report 5 Through close examination of the retrieved data, the malware was found to have been masquerading in a link sent to an employee. By clicking on the link, the malware was uploaded to the system, whereby it went ahead to spread and cripple the system. Section 5.0: Infected Resources. Host devices Type and name of device IP address Status Serial Number HP Pavilion Desktop TP01-2165z 172.16.4.71 Infected SN HP 894067 HP 24-dp0140z AiO PC 172.16.4.89 Infected SN HP 688444 HP All-in-one 684404qw PC 172.16.4.214 Infected SN HP 106413 HP Slim Desktop S07-aF3505t 172.16.4.101 Infected SN HP 610684 OMEN 30L Desktop GT237-67st 172.16.4.35 Infected SN HP 668685 Networking devices Name Serial Address Status Ubiquiti Nano Switch SN 2013-8547 Infected Cisco core switch SN 8456-8210 Infected Cisco wireless router SN 6657-6554 Infected Cisco firewall A SN 3205-6571 Infected Section 6.0: Digital Evidence To correctly forge the path forward to eliminate the malware from the system, the digital evidence had to be collected to know the extent to which the malware had done its damage. All the hard disc drives of the computers in the network were extracted and taken to forensics for examination. This approach helped identify the problem without risking infecting
Digital Forensics Report 6 other devices with the malware. The data in the hard drives were examined in binary form per cell in the storage spaces. The behavior of the hard discs was examined against a standard working hard disk drive, and the difference was compared. This difference was then compiled as documented as the evidence of tampering. The internetworking devices in the network that were showing a higher level of data throughput than usual were removed from the network and their configurations examined. The data that was being filtered through the firewall was defragmented to reconstruct a data packet. The data in the data packets were examined, and the source and destination IP addresses were recorded. It was noted that when the endpoint devices and the infected internetworking devices were removed from the network, the network's bandwidth was restored to its standard capacity. All mobile devices connected to the network at that particular VLAN were confiscated and taken for examination. This approach was meant to determine the extent of the malware's spread and find the source of the malware. Since the firewall would have blocked the traffic from unauthorized senders on the internet, the only way the malware would have entered the system and subsequently the network was through facilitation from an employee who is already authorized. The system log files were extracted from all the machines in the network and examined. The synchrony in the log files would give a correct timeline of the system occurrences before, during, and after the malware attack. The network management software had recorded the times that the network-based intrusion detection system had gone off. This data was recorded and was used to establish a sequence of events. Section 7.0: Tools and Procedures
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Digital Forensics Report 7 Once the malware was discovered in the system, a specific preplanned routine of data collection was followed. First, the devices on the scene were collected. The machines in the network were unplugged from the network, and the power sources and their unique serial numbers were recorded. These machines were labeled appropriately and taken to the forensic team for further evaluation. The credentials were also collected and recorded. These credentials included the passwords, codes, and pins used for authentication and authorization in the devices were noted down. The mobile devices used by all the users in the vicinity were confiscated, and their batteries removed. This approach would ensure that the data in the mobile phones was preserved as it was for evidence. Leaving the phones on would encourage the possibility of automatic updates that would destroy the evidence of the malware. The phones whose batteries could not be taken out were placed in a faraday bag to disconnect them from any remote connection. Photographs of the place were taken before and after the packaging of the electronic and networking devices. Screenshots from the failing systems and configuration files from the infected routers and switches were taken and documented appropriately. These procedures were undertaken to ensure that the data is not contaminated. This data would produce substantive evidence of how the malware infiltrated and overtook the system. It was labeled appropriately to not mix with other evidence samples when sent to the labs. The wireless devices were isolated to prevent any communication from the outside world. For the devices that wireless isolation was impossible, the write permissions were revoked, after which a bitstream disk to image file was created from all the devices. This data acquisition technique was selected because multiple copies of the data can be created simultaneously.

Related Documents

IT340_IP5.docx
CS346_IP5.docx
Module 13_ Quiz_ (LAW6003-0001.fa23) Contract Risk Management.pdf
IMG_6255.png
Assignment - EVA Pitch Paper.docx
Ryan_Gillard_ITDI_375_Unit2.docx
week 2 ( task 3).docx
Week 4 Mini case Analysis.docx
WEEK 2 Mini Case.docx
Activity 2_ Ethical and regulatory aspects related to Business Intelligence.docx
Week 5.docx
Week 7 quiz.docx