Digital Forensics Report 2024

Questions and Answers

What is digital identity theft primarily concerned with?

• Sending spam messages to multiple users.
• Exploiting physical identification documents.
• Manipulating personal or corporate identity data. (correct)
• Accessing email accounts for promotional purposes.

How was the identity theft incident first discovered by the corporation?

• An employee reported phishing emails.
• A security software alert was triggered.
• The accounting department noticed suspicious transactions. (correct)
• A routine security audit revealed discrepancies.

What action did the financial manager take that led to the theft of their credentials?

• They installed unverified software.
• They shared their credentials with colleagues.
• They clicked on a fraudulent email link. (correct)
• They used public Wi-Fi for sensitive transactions.

What type of link did the fraudulent email contain?

A fraudulent link mimicking the bank's website. (B)

Which party was responsible for identifying the perpetrator of the identity theft?

A digital crime investigation team. (A)

What is one preventive measure suggested to avoid issues like identity theft?

Creating regular backups of data. (B)

What was the role of the financial manager in the identity theft case?

The initial target of the attack. (B)

Which of the following best describes the criminal act committed through identity theft?

Committing fraud with stolen identity data. (C)

What tool is primarily used for creating exact copies of affected devices during the collection of digital evidence?

FTK Imager (B)

Which tool helps investigators analyze network traffic to find abnormal activities?

Wireshark (A)

What does log analysis help investigators identify in a forensic investigation?

Unusual patterns of activity (C)

What is the role of EnCase in forensic investigation?

Recover deleted data (B)

Which process allows investigators to pinpoint the geographic location of the attacker?

Traceroute (A)

What technique was identified as the method of the attack in this investigation?

Phishing techniques (A)

What is a primary recommendation for preventing similar attacks in the future?

Train employees to recognize phishing emails (A)

In this forensic investigation, which step comes after analyzing data traffic?

Recovery of deleted data (B)

What is the primary purpose of using Wireshark in an investigation?

To analyze network traffic and identify sources of attacks (C)

Which tool is specifically used for creating exact copies of infected devices during an investigation?

FTK Imager (D)

How do investigators ensure that the digital evidence remains unaltered during an investigation?

By disconnecting compromised devices from the network (D)

What role does Traceroute play in an investigation?

It traces the path of data to locate the potential source of the attacker (B)

Which of the following tools helps analyze system and server logs during an investigation?

Splunk (A)

What is one of the first steps taken by investigators when handling digital evidence?

Disconnecting compromised devices from the network (D)

What aspect of a phishing attack is Credential Harvesting primarily concerned with?

Collecting entered credentials for unauthorized access (C)

Which of the following describes one of the methods an attacker might use to cover their tracks?

Masking their IP address using secure channels (D)

Flashcards

Digital Evidence Collection

Collecting data from devices (computers, servers) to create exact copies to preserve original data.

Network Traffic Analysis

Examining network data flows to find suspicious connections or unusual activity (like file downloads).

Log Analysis

Analyzing system and server logs to identify unusual events (repeated login attempts, suspicious activities).

Deleted Data Recovery

Restoring deleted data using tools like EnCase to search for file changes and tampering.

Attack Source Tracing

Identifying the source of an attack by tracking the data's path (geographic location, IP addresses).

Attack Method Identification

Determining the method used in the attack(e.g., phishing, malware).

Forensic Analysis Tools

Software tools used for digital investigations, including FTK Imager, Wireshark, Splunk, and EnCase.

Security Awareness Training

Training employees to recognize phishing emails and suspicious messages for heightened security.

Phishing Attack

A fraudulent attempt to obtain sensitive information, such as usernames, passwords, and credit card details, by disguising as a trustworthy entity in an electronic communication.

Fake Page Creation

A malicious technique where attackers create a fraudulent webpage mimicking a legitimate website to deceive users into entering their login credentials.

Credential Harvesting

The process of collecting usernames and passwords from victims to gain unauthorized access to their accounts.

Financial Transfers (in crime)

Using stolen credentials to transfer funds from a victim's account to an attacker's account.

Evidence Securing

The initial step in an investigation, where compromised devices are disconnected from the network to prevent further tampering or data loss.

Data Recovery (Deleted Files)

Using forensic tools like EnCase to recover deleted data and investigate suspicious activities.

Digital Identity Theft

Using someone else's personal or corporate information (like IDs, passwords, bank details) for illegal activities like fraud.

Suspicious Financial Transactions

Unexpected or unauthorized money transfers.

Phishing Email

An email that appears to be from a legitimate organization (like a bank) but is actually a scam.

Fraudulent Link

A link in an email or other communication that leads to a fake website designed to steal information.

Digital Evidence

Information collected from digital sources about an incident, helping determine how it occurred and who was involved.

Digital Forensic Investigation

Investigating digital crimes or incidents to gather evidence, identify the cause, and determine responsibility.

Financial Manager Account Compromise

Unauthorized access to a financial manager's account.

Workplace Computer Issues

Technical problems affecting computer use at the workplace.

Study Notes

Report on Digital Forensics

• Report prepared by Sarah al-qtabibi and Munira wael
• Date of report: 1446 H-2024
• University: Shaqra University

Introduction

• Report addresses technical issues employees face in the workplace
• Issues can impact performance, data loss, and information security
• Practical solutions are explained along with preventive steps
• Includes gathering digital evidence to identify the responsible party

Problem 1: Digital Identity Theft

• Digital identity theft is a serious cybercrime targeting individuals and organizations
• Exploits personal or corporate data (e.g., IDs, passwords, bank info) for fraudulent purposes
• Case study details how a financial manager's account was compromised using a fraudulent bank email
• Attacker mimicked a technical support email to steal credentials & company funds
• Accounting department discovered & reported unusual transactions
• Investigation followed by a digital crime investigation team

Steps Taken by Attacker (Overview)

• Phishing attack: Sent fraudulent email to update bank account details
• Creating a fake page: Mimicked bank website to collect credentials
• Credential harvesting: Collected email and passwords
• Executing financial transfers: Accessed the victim's bank account and transferred funds
• Covering tracks: Used secure channels to mask IP address

Tools Used in the Investigation

• Wireshark: Analyzed network traffic to pinpoint attack sources and methods
• FTK Imager: Created exact copies of infected devices, preserving evidence
• Splunk: Analyzed system and server logs to trace unusual activities indicating a breach
• EnCase: Recovered and analyzed deleted files and suspicious activities on compromised devices

How Investigators Handled the Evidence

• Securing the evidence: Disconnected compromised devices to prevent tampering or loss
• Analyzing collected data: Used Wireshark to analyze network traffic; Server logs examined using Splunk
• Recovering deleted data: Recovered deleted data using EnCase, examining suspicious activities
• Tracing the source: Traced attack source using Traceroute, pinpointing the attacker's location and details
• Verifying evidence: Verified evidence in an isolated environment using Forensic tools to maintain integrity and credibility

Detailed Analysis Steps and Reaching the Results

• Collection of digital evidence: Collected and copied data from affected devices using FTK Imager. Examined network traffic using Wireshark.
• Analysis of data traffic: Identified any abnormal or suspicious activity or patterns using Wireshark
• Log analysis: Examined system and server logs using Splunk to identify unusual patterns & attack methods
• Recovery of deleted data: Recovered deleted data and found evidence using EnCase

Tracing the Attack Source

• Traceroute: Used to identify the path of the data, pinpointing the attack source's geographical location
• Additional Investigation steps taken.

Analysis of Results

• Consolidation of evidence: Consolidated gathered evidence linking the attack to the attacker, including techniques and phishing methods
• Confirmed data was stolen through a fake webpage
• External accounts were confirmed to have received funds transferred from stolen data

Results

• Attack method (phishing) and techniques identified using data tracing and analysis
• Funds transferred to unknown addresses
• All necessary evidence documented for legal actions

Recommendations

• Enhance Security Awareness: Train employees to recognize phishing, suspicious messages, attack methods, and ways to prevent them
• Use Advanced Antivirus Systems: Utilize advanced antivirus programs with behavior analysis & real-time malware detection to prevent attacks
• Implement Two-Factor Authentication: Implement two-factor authentication for all user accounts (especially high-level) to reduce password-targeted attacks
• Continuous Monitoring: Monitor data traffic with tools like Wireshark or Splunk, identifying suspicious activity as soon as it occurs

Conclusion

• Essential to enhance and strengthen cybersecurity measures to protect data and information
• Digital investigations identify cybercriminals and improve institutional responses to such crimes
• Recommendations outlined help mitigate risks and secure future attacks

Problem 2: Black Screen Issue

• Windows Explorer service malfunction causes black screen, disappearing desktop icons, and taskbar
• Disrupts productivity as employees can't access files or applications
• Issue identified through restarting the Windows Explorer service.

Steps Followed to Resolve the Black Screen

• Opened Task Manager: Used Ctrl + Shift + Esc shortcut to open Task Manager
• Manually restarted Windows Explorer: Opened Task Manager, selected "File," chose "Run new task", typed "explorer.exe", and clicked "OK"
• Verified functionality: Ensured all system components were accessible and functioning correctly after restarting Explorer service

Results of Black Screen Issue

• Analyzed problems with graphics card or hardware damage
• Issues related to outdated drivers or conflicts with recent updates also identified
• Resolved by restarting or updating

Recommendations for Black Screen Issue

• Ensure Regular System Updates: Regularly update the OS and all drivers
• Device Maintenance: Regularly check and maintain all hardware components (graphics card, RAM, cables, connections)
• Performance Monitoring Software: Using monitoring software to detect potential issues early on
• Back up data: Create regular backups to prevent data loss due to system failure or unforeseen issues

Description

This report examines the technical challenges faced by employees in relation to digital forensics, especially focusing on issues like digital identity theft. It details a case study of a compromised financial manager's account and offers practical solutions and preventive steps to ensure information security. The report is a collaborative effort by Sarah al-qtabibi and Munira wael from Shaqra University.