annotated-ENPM687Final_RheaJokhi
pdf
keyboard_arrow_up
School
University of Maryland, University College *
*We aren’t endorsed by this school
Course
371
Subject
Information Systems
Date
Dec 6, 2023
Type
Pages
20
Uploaded by ProfScorpion18831
ENPM687 –
Final Project Rhea Jokhi
1.
Brief summary of information As a part of the final project forensic investigation, we have been given the image of a hard drive. We are supposed to analyze the operation of malware contained in the image and check if any messages are sent out by malware as well as highlight other observations relevant to the investigation. 2.
Tools used in the investigation process, including their purpose and any underlying assumptions associated with the tool There were mainly three tools that I used in the whole investigation process. Firstly, I used Autopsy to view all the files in an organized pattern. It displays all the details about the files contained in the image and highlights any files of interest as suspicious which makes it easier to use. Secondly, I used Wireshark to observe and capture network traffic while running the executables to check for any malicious activities performed by them in the background. Next up, I used VeraCrypt which helped me conclude the entire project. VeraCrypt was quite beneficial in decrypting the encrypted file that was discovered in the project. 3.
Repository After having imported the image in Autopsy, I began analyzing Recent Documents as anything that was accessed before disk capture could be a potential lead in the investigation process.
I found interesting (.lnk) files such as obiwan.lnk, obiwan2.lnk, and final-form.lnk in this folder. Along with that, there were many files related to Death Star.
When I traced down the file path for obiwan from the .lnk file, I found four interesting files which are listed below. Along with that, I discovered that most of the Death Star files were placed in M drive.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
While looking for other files in My Documents, I came across the dist folder and what I found were two executable files called obiwan.exe and obiwan2.exe. So, I extracted both files to analyze their performance.
Meanwhile, I also looked at program files to check for any suspicious programs installed on the system and found two unusual files VMware and VeraCrypt. These files do not come with the system unless downloaded by a user explicitly.
The result of the packet capture after executing obiwan.exe was similar to Assignment 6, in which obiwan.exe repeatedly attempted to access files and documents from
www.umd.edu/help-me-obiwan-kenobi
and www.umd.edu/youre-my-
only-hope
, but those webpages did not exist. As a result, the packet capture showed the status code 301 Moved Permanently.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The result of packet capture after running obiwan2.exe yielded some interesting results. I found three interesting packets highlighted below. The first one is, this-is-
not-even-my-final-form. The second one being, All-your-base64-are-belong-to-us and lastly, the third one (cjJkMiBpcyB0aGUga2V5) was kind of weird but interesting at the same time as it looked like some password or encrypted content.
As I found the keyword base64 in the packet capture, I just randomly looked up the base64 decoder online and tried decoding this text to see if I could find something. And it worked! I found that r2d2 is the key.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
It took me some time to understand what this r2d2 key was used for. I could remember from the back of my head that there was a program called VeraCrypt that I found in installed programs. This key could be a potential decryption key for some encrypted content. I wondered if this was the key to encrypting contents of M drive where many files related to DeathStar were found initially. To get out of this dilemma, I started looking at the contents of the Encryption Suspected list and found a few files. Out of them, the file not-the-droids-youre-looking-for.mp3 seemed interesting as it was a .mp3 file. I mean, why would someone encrypt an audio file?
I was wondering if I could use VeraCrypt to decrypt the .mp3 file and check its contents of it. So, I installed VeraCrypt and mounted the .mp3 file on A drive.
After opening the A drive, I found that it indeed had some interesting files in it.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The Death Star Plans folder just had some images which did not seem suspicious.
The ENPM687-Read-This led me to the final part of the investigation. By now, I was assured that final-form.exe was the malware I was looking for. To check the message sent by final-form.exe I opened up Wireshark.
The results of packet capture obtained after running final-form.exe displayed two URLs of interest http://www.umd.edu/We-will-defeat-Darth-Vader and http://www.umd.edu/We-have-the-blue-prints-to-the-Death-Star
. The 301 Moved Permanently Error was obvious as these pages didn’t exist.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
The final version of malware: final-form.exe
Messages contained in the final malware: We-will-defeat-Darth-Vader We-have-the-blue-prints-to-the-Death-Star Other interesting observations: There were several interesting observations other than the ones highlighted above.
winerror.py –
This file is named to make it look like a python file but is an image or a part of DeathStar plans.
places.sqlite –
This indicates that the pictures in the death star plans folder were searched for and downloaded on the machine by the attacker.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
README.txt –
This was an interesting finding as it was in the Python folder and it said, “Congratulations on getting this far.”
Challenges faced: The first challenge I faced was like finding a needle in a haystack. There were a huge number of files to go through but solving previous homework assignments did help me look into the important folders like Recent Documents and Program Files first. Files like obiwan, obiwan2, VeraCrypt, etc. retrieved from these folders helped me get a good start and led the investigation further. The other challenge was using VeraCrypt. Although, I was aware of how the software worked, running it on my host was a real task. From what I read in the manual, I understood that I had to search for a file and mount it on a local drive but finding the key was quite a bit of a struggle. Also, having worked with executables in previous assignments, I had a rough idea about the function of obiwan.exe and I was sure it would lead me to something important. However, it was obiwan2.exe that helped me get the encryption key that led the investigation ahead.
4.
Recommendations and next steps for counsel to continue or cease investigation based on the findings in the report Below are the recommendations, I believe, would help in resolving this issue: 1.
Firewall rules optimization to block unauthorized requests Block unauthorized and repeated requests from all malicious files like obiwan.exe, obiwan2.exe, not-the-droids-youre-looking-for.mp3, and final-form.exe. Also, ensure all the messages transmitted by them over the network are captured. 2.
Installation of a reliable anti-virus solution on the system Run system scan periodically to check for any malicious files. Any suspicious file should be quarantined and deleted immediately. To provide a safe and secure working environment, it is also necessary to scan all machines except the infected ones. 3.
Limit system privileges to administrators only Programs and files like VeraCrypt, obiwan.exe, obiwan2.exe, and final-form.exe cannot be downloaded on the system unless done by a user explicitly. Installation rights should be restricted to the administrator only. In that case, the administrator has a better understanding of what is safe for the system. 4.
Ensure regular system updates To ensure there are no vulnerabilities in the system, the operating system, browsers, and important applications should all be updated regularly.