Digital Forensics Report PDF 2024

Report Digital forensic Prepared by: Id Student name Sarah al-qtabibi Munira wael 1446 H-2024 Introduction In this report, we will address a range of technical issues that employees may encounter while using computers in the workplace. These issues can significantly affect task performance, leading to work disruptions, loss of important data, or even threats to information security. We will explain the potential causes and impact of each problem on workflow, followed by practical, step-by- step solutions to resolve them in a clear and effective manner. Additionally, we will provide preventive tips to avoid these issues in the future, such as creating regular backups and using security software. This report also focuses on gathering digital evidence regarding how the issue occurred, attempting to fix it, and identifying the responsible party Problem 1 : Introduction Digital identity theft is one of the most dangerous cybercrimes affecting both individuals and organizations. This crime involves exploiting personal or corporate identity data, such as identification numbers, passwords, or bank account information, to commit fraud or other offenses. This case highlights how the crime occurred, how it was discovered, and the steps investigators took to identify the perpetrator. Description and How It Was Discovered This case was reported by an employee of a large corporation after the company noticed suspicious financial transactions from its bank account to an unknown account. Upon reviewing the records, it was discovered that the attacker had gained access to the financial manager's account using their digital identity credentials, including email and password. The crime began when the financial manager received an email that appeared to be official from the bank's technical support department, requesting an update of their account information. The email contained a fraudulent link leading to a page mimicking the bank's website, where the manager entered their credentials. Once the attacker obtained this information, they used it to carry out fraudulent transactions and steal company funds. The crime was discovered when the accounting department noticed unexplained transactions and promptly reported them to management. The management reviewed the transfers and called in a digital crime investigation team. Steps Taken by the Attacker (Brief Overview) 1. Phishing Attack: The attacker sent a fraudulent email impersonating the bank, requesting the victim to update their account details. 2. Creating a Fake Page: The attacker designed a fake page mimicking the bank's official website to deceive the victim into entering their credentials. 3. Credential Harvesting: The attacker collected the victim's entered credentials (email and password) to gain unauthorized access to their account. 4. Executing Financial Transfers: Using the stolen credentials, the attacker accessed the victim’s bank account and transferred funds to an unknown account. 5. Covering Tracks: The attacker attempted to hide their identity by using secure channels and tools to mask their IP address. Tools Used in the Investigation to Collect Evidence 1. Wireshark: Used to analyze network traffic and identify sources of attacks by monitoring packets being sent and received. 2. FTK Imager: Used to create exact copies of infected devices, ensuring the original evidence remains unchanged during the investigation. 3. Splunk: Assisted in analyzing system and server logs to trace abnormal activities that could indicate a breach. 4. EnCase: Used to recover and analyze deleted files and suspicious activities on compromised devices. 5. Traceroute: Used to trace the path of data and locate the potential source of the attacker. How Investigators Handled the Evidence 1. Securing the Evidence: Initially, investigators secured the digital evidence by disconnecting the compromised devices from the network to prevent tampering or loss of data. Tools like FTK Imager were used to create accurate copies of the data, ensuring its integrity during the investigation. 2. Analyzing Collected Data: After securing the evidence, investigators used Wireshark to analyze network traffic and identify potential attacks. Server logs were examined using Splunk to determine the timing and method of the attack. 3. Recovering Deleted Data: Investigators used EnCase to recover deleted data from the compromised devices and analyzed suspicious activities that might indicate tampering or a breach. 4. Tracing the Source of the Attack: Investigators used Traceroute to trace the path of the data and pinpoint the geographical location of the attacker, helping them determine the origin and details of the attack. 5. Verifying Evidence in an Isolated Environment: The evidence was handled in an isolated environment to ensure no alteration or impact on the data. Forensic analysis tools were used in secure environments to maintain the integrity of the investigation and ensure the evidence's credibility. Detailed Analysis Steps and Reaching the Results 1. Collection of Digital Evidence: The investigation began by collecting digital evidence from the affected devices, such as computers and servers, using tools like FTK Imager to create exact copies of the devices to ensure the original data remained unchanged. Network logs were also collected using Wireshark to examine the packets and transmitted data. 2. Analysis of Data Traffic: Investigators analyzed data traffic using Wireshark to identify any abnormal activities or unknown patterns in the network traffic, such as suspicious connections or file downloads, which could indicate an attack or breach. 3. Log Analysis: After examining the data traffic, investigators moved on to analyze system and server logs using Splunk. They identified unusual patterns, such as repeated login attempts or suspicious activities, which helped pinpoint the timing and method of the attack. 4. Recovery of Deleted Data: Investigators used EnCase to recover deleted data or files that might have been part of the attack. This involved searching through logs and digital evidence for any file changes or hidden tampering that could have been done with malicious software. 5. Tracing the Attack Source: Using Traceroute, investigators traced the path of the data to identify the source of the attack. This process allowed them to pinpoint the geographic location of the attacker and analyze the IP addresses used to carry out the attack. 6. Analysis of Results: After completing all the analyses, investigators consolidated the matching evidence to link the attack to the potential attacker. It was determined that the attack was carried out through phishing techniques, where account data was collected through a fake webpage. It was also confirmed that the funds were transferred to external accounts using the stolen data. Results: The attack method (phishing) and techniques used by the attacker were identified. The attacker was identified using data tracing and log analysis. The victim’s funds were confirmed to have been transferred to unknown external accounts. All necessary evidence was documented for use in legal proceedings Recommendations 1. Enhance Security Awareness: It is essential to train employees to recognize phishing emails and other suspicious messages. Training programs should include awareness of common attack methods and ways to prevent them. 2. Use Advanced Antivirus Systems: It is recommended to use advanced antivirus programs that include behavior analysis and real-time malware detection to prevent attacks. 3. Implement Two-Factor Authentication: Companies should implement two-factor authentication for all user accounts, especially for those with high-level privileges, to reduce the risk of password-targeted attacks. 4. Continuous Network Monitoring: Continuous monitoring of data traffic using tools such as Wireshark or Splunk should be implemented to detect suspicious activity as soon as it occurs. Conclusion As digital attacks on organizations and businesses continue to rise, it is essential to strengthen cybersecurity measures and ensure effective precautionary actions to protect sensitive data and information. Digital investigations play a crucial role in identifying cybercriminals and holding them accountable while providing technical solutions to improve institutional responses to these crimes. By applying the recommendations outlined, companies can mitigate risks and enhance their security posture against future attacks. Problem 2 : Black screen appears and desktop icons and taskbar disappear Operating systems like Windows are essential to the smooth functioning of daily tasks in work environments, where employees heavily rely on computer programs to access files, manage tasks, and communicate information. However, technical issues can occasionally arise, disrupting critical system services such as Windows Explorer, which is responsible for managing the desktop, taskbar, and file access. When the Windows Explorer service malfunctions or is disabled, employees lose access to desktop icons, and the Start Menu and taskbar disappear, preventing them from launching applications or opening files. This can significantly disrupt productivity, as employees are unable to perform their daily tasks efficiently and may have to wait for the service to be restored. Such issues add stress and can negatively affect the workflow, often requiring immediate intervention from the IT support team to resolve the problem and restore normal operations Steps I Followed to Resolve the Issue 1. Opened Task Manager: Since the taskbar wasn’t visible, I used the Ctrl + Shift + Esc shortcut to open Task Manager directly Manually Restarted "Windows Explorer": In Task Manager, I clicked on File at the top of the window and chose Run new task. In the dialog box, I typed explorer.exe and clicked OK This restarted Windows Explorer, and the taskbar, desktop icons, and Start Menu reappeared, restoring normal functionality. Verified System Functionality: After restarting the process, I checked that all system components were accessible and functioning as expected. Results: After analyzing the issue of the black screen that users encounter on their computers, it was found that the causes of this problem vary, including issues with the operating system, problems with the graphics card, or hardware damage. In many cases, the issue was related to outdated drivers or conflicts with recent system updates. By resolving the issue—whether through restarting the system, updating drivers, or replacing faulty hardware components—the device was restored to its normal state, allowing users to resume their tasks without further problems. Recommendations: 1. Ensure Regular System Updates: Users should regularly update the operating system and all drivers to avoid conflicts that might lead to the black screen issue. 2. Perform Regular Device Maintenance: It's important to regularly check the health of hardware components such as the graphics card and RAM, and ensure all cables and connections are intact. 3. Use Performance Monitoring Software: Users can employ specialized software to monitor system performance and detect potential issues early that may lead to the black screen. 4. Regularly Backup Data: To prevent data loss or system failure, users should regularly back up their data to avoid any losses in case of unforeseen issues.

Digital Forensics Report PDF 2024

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue