Cyber security - Lab report
Added on 2022-09-28
4 Pages1125 Words29 Views
|
|
|
LAB 6 REPORT
OVERVIEW:
Mr ImaVictim, one of my clients, has contacted me about a possible malware
attack. I arrived at Mr ImaVictim's house to discover Wireshark capturing data on
his PC. After speaking with Mr ImaVictim in further depth, I understand that
when he was browsing the internet he came across an application named
"server.exe." Mr ImaVictim saved and executed "server.exe," and a message
displayed on his screen right away, but nothing seemed to change after that
strange message.
While talking, around 5 minutes passed before an internet browser window
opens without anybody touching the device. Mr ImaVictim states that he's
worried that a sensitive business proposal he was working on at the time is in the
hands of a third party, and he wants me to look for any evidence that might
point to a malicious third party at work so he can report it to the police.
INVESTIGATION:
On Wednesday, May 18th, at around 1:30 p.m., I arrive at Mr ImaVictim's
residence. We talk about the specific nature of the problem he's having, his
concerns, and what he's done before and after the suspicious behaviour
happened when we first meet. Mr ImaVictim has been using Wireshark to
monitor and capture data on his network, according to my sources.
At 1:44 p.m., I utilise a forensic programme on the command prompt to take
down important information about the client's PC. Because this is a live
examination, I gather as much information about the operating system as
possible to enhance my research. This is accomplished by writing down
important information for Mr ImaVictim's computer. I record the time, the
operating system, the user account, and the IP address as shown below
TIME DETAILS:
System Date: Wed 18/05/2022
System Time: 01:44pm
System Time zone: GMT+10:00 Canberra, Melbourne
Current Date: Wed 18/05/2021
Current Time: 01:44pm
Time Variation (+/-): GMT+10:00
OS DETAILS:
OS Name: Microsoft Windows XP professional
OVERVIEW:
Mr ImaVictim, one of my clients, has contacted me about a possible malware
attack. I arrived at Mr ImaVictim's house to discover Wireshark capturing data on
his PC. After speaking with Mr ImaVictim in further depth, I understand that
when he was browsing the internet he came across an application named
"server.exe." Mr ImaVictim saved and executed "server.exe," and a message
displayed on his screen right away, but nothing seemed to change after that
strange message.
While talking, around 5 minutes passed before an internet browser window
opens without anybody touching the device. Mr ImaVictim states that he's
worried that a sensitive business proposal he was working on at the time is in the
hands of a third party, and he wants me to look for any evidence that might
point to a malicious third party at work so he can report it to the police.
INVESTIGATION:
On Wednesday, May 18th, at around 1:30 p.m., I arrive at Mr ImaVictim's
residence. We talk about the specific nature of the problem he's having, his
concerns, and what he's done before and after the suspicious behaviour
happened when we first meet. Mr ImaVictim has been using Wireshark to
monitor and capture data on his network, according to my sources.
At 1:44 p.m., I utilise a forensic programme on the command prompt to take
down important information about the client's PC. Because this is a live
examination, I gather as much information about the operating system as
possible to enhance my research. This is accomplished by writing down
important information for Mr ImaVictim's computer. I record the time, the
operating system, the user account, and the IP address as shown below
TIME DETAILS:
System Date: Wed 18/05/2022
System Time: 01:44pm
System Time zone: GMT+10:00 Canberra, Melbourne
Current Date: Wed 18/05/2021
Current Time: 01:44pm
Time Variation (+/-): GMT+10:00
OS DETAILS:
OS Name: Microsoft Windows XP professional
OS Version: 5.1.2600 service pack 3 build 2600
System Uptime: 2 hours, 36mins 44 seconds
USER ACCOUNT DETAILS:
Logon time: 18/05/2022 12:23:02 PM
Logged on user: LAB6-VICTIM\ImaVictim
IP ADDRESS DETAILS:
IP Address: 192.168.6.2
Subnet Mask: 255.255.255.0
MAC Address: 08-00-27-57-D9-9A
Around 1:55 p.m., I opened the task manager to see if there are any suspicious
processes on Mr ImaVictim's computer. I was able to find a suspicious process
called server.exe using the task manager. I take down the PID of this suspicious
process right away. server.exe has a PID of 1208.
Around 2:00 p.m. I utilise a forensic tool to locate open connections on the
client's PC to validate that this suspicious process is malware. On the client's
machine, I discover a foreign address entry with the same PID of 1208 as the
suspicious process server.exe, the specifics are as follows:
Foreign Address: 192.168.6.1
State: Established
PID: 1208
Around 2:10 p.m., after utilising a forensic tool to find the aforementioned
information, I am able to discover the malware on Mr ImaVictim's machine and
record the following information:
File Name: server.exe
Path: C:\Documents and Settings\Desktop\server.exe
Size: 57.8KB
Created: Today, 18th May 2022, 1:26:29pm
Modified: Today, 18th May 2022, 1:26:29pm
Accessed: Today, 18th May 2022, 1:26:29pm
System Uptime: 2 hours, 36mins 44 seconds
USER ACCOUNT DETAILS:
Logon time: 18/05/2022 12:23:02 PM
Logged on user: LAB6-VICTIM\ImaVictim
IP ADDRESS DETAILS:
IP Address: 192.168.6.2
Subnet Mask: 255.255.255.0
MAC Address: 08-00-27-57-D9-9A
Around 1:55 p.m., I opened the task manager to see if there are any suspicious
processes on Mr ImaVictim's computer. I was able to find a suspicious process
called server.exe using the task manager. I take down the PID of this suspicious
process right away. server.exe has a PID of 1208.
Around 2:00 p.m. I utilise a forensic tool to locate open connections on the
client's PC to validate that this suspicious process is malware. On the client's
machine, I discover a foreign address entry with the same PID of 1208 as the
suspicious process server.exe, the specifics are as follows:
Foreign Address: 192.168.6.1
State: Established
PID: 1208
Around 2:10 p.m., after utilising a forensic tool to find the aforementioned
information, I am able to discover the malware on Mr ImaVictim's machine and
record the following information:
File Name: server.exe
Path: C:\Documents and Settings\Desktop\server.exe
Size: 57.8KB
Created: Today, 18th May 2022, 1:26:29pm
Modified: Today, 18th May 2022, 1:26:29pm
Accessed: Today, 18th May 2022, 1:26:29pm
End of preview
Want to access all the pages? Upload your documents or become a member.