Case Study: Forensic Analysis of Security Incident

User Generated

cbyylGurQbyy

Writing

Description

Statement

The company Invent SL, which has offices in Australia, Italy and Spain, has suffered a security incident in each one of them.


Headquarters in Australia

On the one hand, at the headquarters in Australia, the leakage of sensitive information from several of its employees (email addresses and passwords) has been detected. The affected set indicates that they received a suspicious email campaign with similar HTML attachments to the Office 365 portal during the last days. This company does not have (2FA) authentication factor in two steps, so an attacker could access corporate mail and other types of public applications on the Internet hosted by Microsoft. Since there are more than 10,000 employees in the company, it is not possible to reset and block all accounts for reasons of business continuity, so it is necessary to locate only those affected.


Headquarters in Italy

On the other hand, in Italy there has been an unauthorized access to one of its accounting servers. This access has been detected through a periodic review by the IT team. In this case, the team plans to hire an external provider to take charge of this incident.


Headquarters in Spain

Finally, at the headquarters in Spain, an attack was detected on one of the servers of its textile factory. All files on the server have been encrypted with the extension ".NM4". These computers were patched against MS17-010.


Since we are part of the incident response team of the company, our mission is to discover what has happened in each of the situations that arise .

For this, the IT team has provided us with the following evidences:

  • Australia: Navigation proxy traffic logs in the date range in which the incident occurred.
  • Italy: no position that will be handled by an external provider.
  • Spain: status of open ports in the system and part of the rescue message.

It is requested

Before analyzing the evidence:

  • What type of threat has impacted the Australian headquarters? (0,5p)
  • What type of threat has impacted the headquarters of Madrid? (0.25p)
  • What risk exists for an entity when a leak of information occurs as described in the incident in Australia? (0.75p)


About the incident in Italy:

  • Should the equipment be disconnected from the network for analysis? (0.2p)
  • What hardware part of the server should be cloned / dump before turning off the computer? (0,1p)
  • By what known command would the cloning of the hard disk be performed? Write an example of execution. (0.2p)
  • What should be calculated after cloning the disk to verify its integrity? (0,1p)
  • Briefly describe the chain of custody that must be followed for the transfer of evidence to the external provider (max 15 lines) (0.4p)


Analyze the evidence provided for the Australian headquarters:

  • Generate a script to parse the traffic capture facilitated, so that it shows the final result by command line. (2 P)
  • What user email addresses have been affected? A manual analysis can be carried out if the previous section has not been achieved. (1,5p)


Analyze the evidence provided for the Madrid headquarters:

  • How does this type of threat work? (max 5 lines) (1p)
  • Could the data be recovered today? (0.25p)
  • What has been the input vector used by this threat? (Use the evidence spain.jpg) (0.75p)
  • Implement countermeasures for the Australian headquarters so that this type of incident does not happen again. (1 p)
  • Implement countermeasures for the Madrid headquarters in order to avoid repeating this type of incident. (1 p)
  • It is not necessary to complicate (it is simpler than you think).
  • Not everything is in the agenda, you have to look for some concepts in other sources (work done by any analyst).
  • The URLs contained in the rescue message from Spain (spain_recover_files_message.png) are not relevant and therefore it is not advisable to access them, since it poses a risk to the student's team.

Unformatted Attachment Preview

Encrypted files! All your files are encrypted. Using AES256-bit encryption and RSA-2048-bit encryption. Making it impossible to recover files without the correct private key. If you are interested in getting is the key and recover your files You should proceed with the following steps. The only way to decrypt your files safely is to buy the Descrypt and Private Key software. Any attempts to restore your files with the third-party software will be fatal for your files! To proceed with the purchase you must access one of the link below https://3fprihycwetwk2m7.onion.to/ • https://3fprihycwetwk2m7.onion.link/ . If neither of the links is online for a long period of time, there is another way to open it, you should install the Tor Browser If your personal page is not available for a long period there is another way to open your personal page - installation and use of Tor Browser: 1. run your Internet browser (if you do not know what it is run the Internet Explorer); 2. enter or copy the address https://www.torproject.org/download/download-easy.html.en into the address bar of your browser and press ENTER; 3. Wait for the site loading; 4. on the site you will be offered to download Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed; 5. run Tor Browser; 6. connect with the button 'Connect' (if you use the English version); 7. a normal Internet browser window will be opened after the initialization; 8. type or copy the address https://3fprihycwetwk2m7.onion in this browser address bar; Active Connections Proto Local Address TCP 0.0.0.0:135 TCP 0.0.0.0:445 TCP 0.0.0.0:3389 TCP 0.0.0.0:5357 TCP 0.0.0.0:49152 TCP 0.0.0.0:49153 TCP 0.0.0.0:49154 TCP 0.0.0.0:49155 TCP 0.0.0.0:49156 TCP 172.16.103.2:139 Foreign Address 0.0.0.0:0 0.0.0.0:0 0.0.0.0:9 0.0.0.0:0 0.0.0.0:0 0.0.0.0:0 0.0.0.0:9 0.0.0.0:0 0.0.0.0:9 0.0.0.0:0 State LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING LISTENING
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: FORENSIC ANALYSIS

1

Forensic Analysis
Student’s Name
Institutional Affiliation
Course
Date

2

FORENSIC ANALYSIS
Forensic Analysis of Security Incident
Introduction

The number of devices connected to the internet has steadily increased over the recent
years hence the number of security breaches have increased too. The issue of security breach has
become a hot and disturbing topic. It is essential for companies to know how they should
respond and deal with the consequences of cyber security breach. All firms should have a
complete incident response plan which entails an incident detection and response plan all
together since we are living in a disruptive digital era. Therefore, having an effective security
plan leads to an effective response to malicious attacks. After the incident, computer forensics
comes in to help in the investigation and analysis of the security breaches (Teymourlouei, 2016).
The main aim of computer forensics is to conduct a structured investigation while at the same
time maintaining files of evidence to help find out exactly what happened and who was
responsible. For our case, the Invest SL experienced a security incident in three of its offices
which are Australia, Spain, and Italy. As an incidence response team, we have been provided
with evidence by the company’s IT team concerning the various attacks which were conducted.
Concerning the attack in Australia we have been provided with navigation proxy which we will
use to conduct the forensic analysis, they also provided us with evidence from the Italy attack
and that of Spain. We will use various techniques and proprietary forensic applications to
examine the evidence provided. Below is an overview of the various threats which impacted the
various headquarters.
The type of threat which impacted the Australian headquarters
The threat which the Australian headquarters are facing is the data leakage threat since
there has been a leakage of the company’s sensitive information. The leakage of the employ’s
sensitive information will lead to a significant reputational down fall of the company and its
financial gains. The loss or leakage of sensitive can even impact the company’s long them
stability. The data loss will even cost the company millions of dollars. The threat of data leakage
which faced the company is due to a malicious email which the employees received. The leakage
of this essential information may be due to both internal and external data breaches either
intentionally through the stealing of sensitive information by intruders, sabotage by inside
attackers and through accidental disclosure of the sensitive information which facilitated the
leakage of the employees’ email address which resulted to them receiving the email. It is a
challenge to big companies like Invest SL to protect data leakage in this time of big data. Data
has become one of the essential components for any business hence managing, analyzing a large
amount of information owned by these companies gives the companies a business advantage in
terms of competition. The advantages include business intelligence and giving personalized
business products delivery. The increase in the need to analyze the available also increases the
chance of data leakage or breach to happen within the company due to incidences of cloud file
sharing, web pages, the use of removable storage devices and vulnerability in the company's
database system (Teymourlouei, 2016).

FORENSIC ANALYSIS

3

There is a big challenge of detecting the cause of the leakage because it may have been
caused by use...


Anonymous
Just the thing I needed, saved me a lot of time.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags