Forensic Investigation and Analysis

I’m a student at Centennial College in Ontario, Canada, and studying Computer System Technology. I really like learning about cybersecurity, especially forensic analysis. During my time in college, I’ve been doing a lot of hands-on work and studying hard to understand how to solve digital mysteries. I enjoy figuring out how computer systems work, and I want to keep learning about the latest technology changes. It’s not just about getting a degree for me; I want to be a part of the ever-changing world of cybersecurity.

Recently, I’ve done Forensic Investigation and Analysis as part of the project. Here, I’m recording the steps I had done. I hope someone will have the idea on how to do Forensic Investigation and Analysis.

Pre-requisite

In this comprehensive practical assessment, I meticulously documented the procedures followed to execute a thorough forensic investigation using various tools and techniques. The following summarizes my actions:

1. Flare-VM Setup:

• Created a Flare-VM using VMware.
• Configured PC hostname to reflect my name, along with login credentials and OpenEDR agent enrollment for Windows.

2. OpenEDR Access:

• Logged into OpenEDR as a “technician” and accessed the dashboard.

Part 1: The Memory Acquisition Tool

Objective is to learn how to use Access Data FTK for memory dump from a malware-infected machine.

1. Downloaded and installed Access Data FTK after signing up. inside Flare-VM.

Part 2: The Artifact

Objective is to determine file type through the “magic” signature without uploading the file to the malware sandbox.

1. Navigated to the download site specified.
2. Downloaded COMP4071_00481.zip, unzipped it with the password and renamed around 40 files based on VirusTotal analysis.
3. Ran the renamed files in the browser.

Part-3: Memory Acquisition

Objective is to acquire memory dump for forensic investigation in Autopsy.

1. Opened Access Data FTK, browsed the download directory for the destination path, and initiated memory dump.
2. It will take a large space. So, needs to uninstalled large files to make space for the memory dump.
3. Successfully completed the memory dump process.

Part-4: Autopsy

Objective is to analyze a forensics file (VMDK) with Autopsy.

1. Opened Autopsy, created a new case and numbered the first case as 001.
2. Selected host name and data source type (VMDK).
3. Adjusted the time zone and configured settings for analysis.
4. Analyzed the VMDK file, answering specific questions related to the OS, admin users, profile preferences, installed applications, files over 1GB, and more.

5. By analizing left pane I got so many information, like, who is the admin user, which programs are installed, about OS account and many more.

Conclusion: In successfully completing this final lab, I demonstrated proficiency in forensic investigation techniques, including memory acquisition, artifact analysis, and Autopsy tool usage. The comprehensive documentation outlines each step taken to ensure a thorough examination of the digital evidence.