Incident Response: Investigation of Crytolocker ( trace analysis with wireshark and windows 2003 server)

Order Details;

A company has reported that there has been some malicious activity within their
company related to Cryptolocker-type activity. The critical incident response team has
managed to get a virtual image of the host under suspicion (HUS), along with other
traces of evidence that could be used for the investigation (this includes both host
activity on the system and network traces).

It is thus your objective to investigate the virtual image, and produce a fair and
unbiased report on the findings.

The VM image exists in the attachment , which also contains the network
trace, which can also be downloaded from:

The analysis should involve analysing the network trace for the connections from the
hosts which connected to the host-under-suspicion (HUS). Along with this you should
analyse and cross-correlate the activity within the logs on the HUS, and the trace of
files left on the system. Evidence should also be gained from the applications which
were used within the time window of interest. Please note that all other activity outside
this window-of-interest should be ignored.

Host under suspicion: Production -> Crypto -> Crytpo_001, Crypto_002

Module name: Advanced Cloud and Network Forensics

Session:  Semester 2, 2014/2015

Weighting:  50%

Coursework Assignment

Title:   Incident Response: Investigation of Crytolocker

Outline Requirements 

A company has reported that there has been some malicious activity within their

company related to Cryptolocker-type activity. The critical incident response team has

managed to get a virtual image of the host under suspicion (HUS), along with other

traces of evidence that could be used for the investigation (this includes both host

activity on the system and network traces).

 

It is thus your objective to investigate the virtual image, and produce a fair and

unbiased report on the findings.

 

The VM image exists in the attachment , which also contains the network

trace, which can also be downloaded from:

 

The analysis should involve analysing the network trace for the connections from the

hosts which connected to the host-under-suspicion (HUS). Along with this you should

analyse and cross-correlate the activity within the logs on the HUS, and the trace of

files left on the system. Evidence should also be gained from the applications which

were used within the time window of interest. Please note that all other activity outside

this window-of-interest should be ignored.

 

Host under suspicion: Production -> Crypto -> Crytpo_001, Crypto_002 …

 

Marking schedule

The coursework should be submitted via Turnitin  if possible. It will

be marked as follows:

 

  • Investigation Procedure [20%]. This should outline your procedures for analysing

the virtual image.

– Findings [45%]. This should outline the trail of evidence produced, and the

findings from it.

1

 

  • Conclusions [20%]. This should reflect the methods you have used in the report,

and to assess their strengths and weaknesses, and any observations that you have

gained.

  • References/Presentation [15%]. All references must be defined in an APA/Harvard

format, and should be integrated in the report.

 

The report should use the APA/Harvard format for all of the references, and, if

possible, should include EVERY reference to material sourced from other places. Also,

the report should be up to 20 pages long (where appendices do not count in the page

count number).

 

 

Marking approach

There are multiple communications within the network trace, some of which have

possible malicious intent, and others which are normal non-malicious content. As part

of the analysis you should:

 

  • In the report, define a strict methodology that you would apply in actually

undertaking the investigation.

  • Take reasoned judgments as to the nature of the trace of network activity.
  • Where faced with suspect content, try to uncover the root of the evidence, such as

cracking cipher codes. The methods tried should be clearly defined in the report.

  • Define the timeline of activity involved in the possible malicious activity.
  • Cross-corroborate the network traces with the system traces that appear on the host

 

system (such as examining system logs, audit logs, and the file attributes), and

report on any suspicious activities.