Forensic Investigation and Analysis
I’m a student at Centennial College in Ontario, Canada, and studying Computer System Technology. I really like learning about cybersecurity, especially forensic analysis. During my time in college, I’ve been doing a lot of hands-on work and studying hard to understand how to solve digital mysteries. I enjoy figuring out how computer systems work, and I want to keep learning about the latest technology changes. It’s not just about getting a degree for me; I want to be a part of the ever-changing world of cybersecurity.
Recently, I’ve done Forensic Investigation and Analysis as part of the project. Here, I’m recording the steps I had done. I hope someone will have the idea on how to do Forensic Investigation and Analysis.
Pre-requisite
In this comprehensive practical assessment, I meticulously documented the procedures followed to execute a thorough forensic investigation using various tools and techniques. The following summarizes my actions:
- Flare-VM Setup:
- Created a Flare-VM using VMware.
- Configured PC hostname to reflect my name, along with login credentials and OpenEDR agent enrollment for Windows.
2. OpenEDR Access:
- Logged into OpenEDR as a “technician” and accessed the dashboard.
Part 1: The Memory Acquisition Tool
Objective is to learn how to use Access Data FTK for memory dump from a malware-infected machine.
- Downloaded and installed Access Data FTK after signing up. inside Flare-VM.
Part 2: The Artifact
Objective is to determine file type through the “magic” signature without uploading the file to the malware sandbox.
- Navigated to the download site specified.
- Downloaded COMP4071_00481.zip, unzipped it with the password and renamed around 40 files based on VirusTotal analysis.
- Ran the renamed files in the browser.
Part-3: Memory Acquisition
Objective is to acquire memory dump for forensic investigation in Autopsy.
- Opened Access Data FTK, browsed the download directory for the destination path, and initiated memory dump.
- It will take a large space. So, needs to uninstalled large files to make space for the memory dump.
- Successfully completed the memory dump process.
Part-4: Autopsy
Objective is to analyze a forensics file (VMDK) with Autopsy.
- Opened Autopsy, created a new case and numbered the first case as 001.
- Selected host name and data source type (VMDK).
- Adjusted the time zone and configured settings for analysis.
- Analyzed the VMDK file, answering specific questions related to the OS, admin users, profile preferences, installed applications, files over 1GB, and more.
5. By analizing left pane I got so many information, like, who is the admin user, which programs are installed, about OS account and many more.
Conclusion: In successfully completing this final lab, I demonstrated proficiency in forensic investigation techniques, including memory acquisition, artifact analysis, and Autopsy tool usage. The comprehensive documentation outlines each step taken to ensure a thorough examination of the digital evidence.