Digital Forensics Report 2024

Questions and Answers

What is digital identity theft primarily concerned with?

Sending spam messages to multiple users.

Exploiting physical identification documents.

Manipulating personal or corporate identity data. (correct)

Accessing email accounts for promotional purposes.

How was the identity theft incident first discovered by the corporation?

An employee reported phishing emails.

A security software alert was triggered.

The accounting department noticed suspicious transactions. (correct)

A routine security audit revealed discrepancies.

What action did the financial manager take that led to the theft of their credentials?

They installed unverified software.

They shared their credentials with colleagues.

They clicked on a fraudulent email link. (correct)

They used public Wi-Fi for sensitive transactions.

What type of link did the fraudulent email contain?

A fraudulent link mimicking the bank's website.

Which party was responsible for identifying the perpetrator of the identity theft?

A digital crime investigation team.

What is one preventive measure suggested to avoid issues like identity theft?

Creating regular backups of data.

What was the role of the financial manager in the identity theft case?

The initial target of the attack.

Which of the following best describes the criminal act committed through identity theft?

Committing fraud with stolen identity data.

What tool is primarily used for creating exact copies of affected devices during the collection of digital evidence?

FTK Imager

Which tool helps investigators analyze network traffic to find abnormal activities?

Wireshark

What does log analysis help investigators identify in a forensic investigation?

Unusual patterns of activity

What is the role of EnCase in forensic investigation?

Recover deleted data

Which process allows investigators to pinpoint the geographic location of the attacker?

Traceroute

What technique was identified as the method of the attack in this investigation?

Phishing techniques

What is a primary recommendation for preventing similar attacks in the future?

Train employees to recognize phishing emails

In this forensic investigation, which step comes after analyzing data traffic?

Recovery of deleted data

What is the primary purpose of using Wireshark in an investigation?

To analyze network traffic and identify sources of attacks

Which tool is specifically used for creating exact copies of infected devices during an investigation?

FTK Imager

How do investigators ensure that the digital evidence remains unaltered during an investigation?

By disconnecting compromised devices from the network

What role does Traceroute play in an investigation?

It traces the path of data to locate the potential source of the attacker

Which of the following tools helps analyze system and server logs during an investigation?

Splunk

What is one of the first steps taken by investigators when handling digital evidence?

Disconnecting compromised devices from the network

What aspect of a phishing attack is Credential Harvesting primarily concerned with?

Collecting entered credentials for unauthorized access

Which of the following describes one of the methods an attacker might use to cover their tracks?

Masking their IP address using secure channels

Study Notes

Report on Digital Forensics

• Report prepared by Sarah al-qtabibi and Munira wael
• Date of report: 1446 H-2024
• University: Shaqra University

Introduction

• Report addresses technical issues employees face in the workplace
• Issues can impact performance, data loss, and information security
• Practical solutions are explained along with preventive steps
• Includes gathering digital evidence to identify the responsible party

Problem 1: Digital Identity Theft

• Digital identity theft is a serious cybercrime targeting individuals and organizations
• Exploits personal or corporate data (e.g., IDs, passwords, bank info) for fraudulent purposes
• Case study details how a financial manager's account was compromised using a fraudulent bank email
• Attacker mimicked a technical support email to steal credentials & company funds
• Accounting department discovered & reported unusual transactions
• Investigation followed by a digital crime investigation team

Steps Taken by Attacker (Overview)

• Phishing attack: Sent fraudulent email to update bank account details
• Creating a fake page: Mimicked bank website to collect credentials
• Credential harvesting: Collected email and passwords
• Executing financial transfers: Accessed the victim's bank account and transferred funds
• Covering tracks: Used secure channels to mask IP address

Tools Used in the Investigation

• Wireshark: Analyzed network traffic to pinpoint attack sources and methods
• FTK Imager: Created exact copies of infected devices, preserving evidence
• Splunk: Analyzed system and server logs to trace unusual activities indicating a breach
• EnCase: Recovered and analyzed deleted files and suspicious activities on compromised devices

How Investigators Handled the Evidence

• Securing the evidence: Disconnected compromised devices to prevent tampering or loss
• Analyzing collected data: Used Wireshark to analyze network traffic; Server logs examined using Splunk
• Recovering deleted data: Recovered deleted data using EnCase, examining suspicious activities
• Tracing the source: Traced attack source using Traceroute, pinpointing the attacker's location and details
• Verifying evidence: Verified evidence in an isolated environment using Forensic tools to maintain integrity and credibility

Detailed Analysis Steps and Reaching the Results

• Collection of digital evidence: Collected and copied data from affected devices using FTK Imager. Examined network traffic using Wireshark.
• Analysis of data traffic: Identified any abnormal or suspicious activity or patterns using Wireshark
• Log analysis: Examined system and server logs using Splunk to identify unusual patterns & attack methods
• Recovery of deleted data: Recovered deleted data and found evidence using EnCase

Tracing the Attack Source

• Traceroute: Used to identify the path of the data, pinpointing the attack source's geographical location
• Additional Investigation steps taken.

Analysis of Results

• Consolidation of evidence: Consolidated gathered evidence linking the attack to the attacker, including techniques and phishing methods
• Confirmed data was stolen through a fake webpage
• External accounts were confirmed to have received funds transferred from stolen data

Results

• Attack method (phishing) and techniques identified using data tracing and analysis
• Funds transferred to unknown addresses
• All necessary evidence documented for legal actions

Recommendations

• Enhance Security Awareness: Train employees to recognize phishing, suspicious messages, attack methods, and ways to prevent them
• Use Advanced Antivirus Systems: Utilize advanced antivirus programs with behavior analysis & real-time malware detection to prevent attacks
• Implement Two-Factor Authentication: Implement two-factor authentication for all user accounts (especially high-level) to reduce password-targeted attacks
• Continuous Monitoring: Monitor data traffic with tools like Wireshark or Splunk, identifying suspicious activity as soon as it occurs

Conclusion

• Essential to enhance and strengthen cybersecurity measures to protect data and information
• Digital investigations identify cybercriminals and improve institutional responses to such crimes
• Recommendations outlined help mitigate risks and secure future attacks

Problem 2: Black Screen Issue

• Windows Explorer service malfunction causes black screen, disappearing desktop icons, and taskbar
• Disrupts productivity as employees can't access files or applications
• Issue identified through restarting the Windows Explorer service.

Steps Followed to Resolve the Black Screen

• Opened Task Manager: Used Ctrl + Shift + Esc shortcut to open Task Manager
• Manually restarted Windows Explorer: Opened Task Manager, selected "File," chose "Run new task", typed "explorer.exe", and clicked "OK"
• Verified functionality: Ensured all system components were accessible and functioning correctly after restarting Explorer service

Results of Black Screen Issue

• Analyzed problems with graphics card or hardware damage
• Issues related to outdated drivers or conflicts with recent updates also identified
• Resolved by restarting or updating

Recommendations for Black Screen Issue

• Ensure Regular System Updates: Regularly update the OS and all drivers
• Device Maintenance: Regularly check and maintain all hardware components (graphics card, RAM, cables, connections)
• Performance Monitoring Software: Using monitoring software to detect potential issues early on
• Back up data: Create regular backups to prevent data loss due to system failure or unforeseen issues

Description

This report examines the technical challenges faced by employees in relation to digital forensics, especially focusing on issues like digital identity theft. It details a case study of a compromised financial manager's account and offers practical solutions and preventive steps to ensure information security. The report is a collaborative effort by Sarah al-qtabibi and Munira wael from Shaqra University.