Scribd
Upload
35 views4 pages

Digital Forensics Report

The report details a forensic investigation into a security breach at Printing4U, initiated by a junior employee connecting a legacy computer to the Internet. The analysis utilized various tools to uncover a targeted cyberattack involving credential brute-forcing, DLL injection, and persistent malware, despite the attacker's use of anti-forensic measures. The investigation successfully identified and removed the malware, reconstructed the attack timeline, and extracted encrypted steganographic content.

Uploaded by

ASHEN AMANTHA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views4 pages

Digital Forensics Report

The report details a forensic investigation into a security breach at Printing4U, initiated by a junior employee connecting a legacy computer to the Internet. The analysis utilized various tools to uncover a targeted cyberattack involving credential brute-forcing, DLL injection, and persistent malware, despite the attacker's use of anti-forensic measures. The investigation successfully identified and removed the malware, reconstructed the attack timeline, and extracted encrypted steganographic content.

Uploaded by

ASHEN AMANTHA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

CO5606 – Digital Forensics

Individual Report 2 (RESIT): Practical Forensics Investigation

Name: [Your Full Name]\ Student ID: [Your ID]\ Submission Date: 10 July 2025

Table of Contents

1. Introduction
2. Task 1: Compromise Investigation
3. Task 2: Malware Analysis & Removal
4. Task 3: Encryption, Obfuscation & Steganography
5. Conclusion
6. References

1. Introduction

As a Digital Forensics Officer at Recovery Angels Ltd, I was tasked with conducting a forensic
investigation into a security incident at Printing4U. The breach occurred when a junior employee
connected a legacy computer to the Internet, exposing it to potential attacks. My analysis focused on
the provided disk image and memory dump, downloaded from the CO5606 Moodle page.

Using industry-standard tools such as VirtualBox, Autopsy, Volatility, VirusTotal, IDA Pro, PowerShell,
and Stegseek, this report reconstructs the timeline and methods of compromise, identifies the malware
used, and presents removal and mitigation strategies.

2. Task 1: Compromise Investigation

Evidence Preservation

All disk images were mounted as read-only or immutable in VirtualBox to prevent accidental
modification. Original hash values of key files were verified:

• [Link] : 122cd92...
• [Link] : ec62fb2...
• [Link] : 68d9858...

Hash values ensured forensic integrity throughout the investigation.

Live Analysis (VirtualBox)

Using PowerShell, system processes, network activity, autorun entries, and scheduled tasks were
captured. Notable findings included:

• Suspicious processes: [Link] (Figure 4)


• Open ports 445 and 135 (Figure 5), commonly targeted by attackers

1
• Disabled scheduled tasks and suspicious autoruns related to [Link]

Offline Analysis (Autopsy)

Autopsy revealed:

• [Link] : Scan results targeting "[Link]"


• [Link] : Password list found under /Documents/ssh
• Bash history indicated use of hydra for brute-force SSH attacks
• Evidence of VPN installation and use, suggesting anonymization attempts

Memory Dump Analysis (Volatility)

Volatility analysis identified injected DLLs and suspicious memory behavior:

• [Link] and [Link] both spawned from the same parent process
• [Link] injected into [Link] via memory region with
PAGE_EXECUTE_READWRITE permission
• MZ headers in several processes confirmed executable code present in memory

These findings indicate initial access was gained via social engineering and credential cracking, followed
by malware execution and persistence.

3. Task 2: Malware Analysis & Removal

Identified Malware Files

• [Link]
• [Link]
• [Link]

Each file was uploaded to VirusTotal, confirming detection as Trojans. IDA Pro was used for disassembly:

• [Link] contains an infinite loop with 3-second delays (anti-debugging)


• It locates [Link] and injects [Link] using VirtualAllocEx ,
WriteProcessMemory , and CreateRemoteThread
• The DLL imports functions from [Link] , indicating low-level access

Removal Script

A PowerShell script was created to scan and remove malware:

# PowerShell Malware Removal Script


param ([switch]$Scan, [switch]$Remove)

$MalwarePaths = @("C:\812stash")
$MalwareRegistryKeys = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\plunger",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\draw"
)

2
$MalwareProcesses = @("[Link]", "[Link]", "[Link]")

function Scan-Malware {
Write-Host "Scanning for malware..."
foreach ($path in $MalwarePaths) { if (Test-Path $path) { Write-Host "[!]
Found: $path" } }
foreach ($key in $MalwareRegistryKeys) { if (Test-Path $key) { Write-Host
"[!] Malicious Registry: $key" } }
foreach ($proc in $MalwareProcesses) { if (Get-Process -Name $proc -
ErrorAction SilentlyContinue) {
Write-Host "[!] Running: $proc" } }
}

function Remove-Malware {
Write-Host "Removing malware..."
foreach ($proc in $MalwareProcesses) { Stop-Process -Name $proc -Force -
ErrorAction SilentlyContinue }
foreach ($path in $MalwarePaths) { Remove-Item -Path $path -Force -
ErrorAction SilentlyContinue }
foreach ($key in $MalwareRegistryKeys) { Remove-Item -Path $key -Force -
ErrorAction SilentlyContinue }
}

if ($Scan) { Scan-Malware }
if ($Remove) { Remove-Malware }

The script targets known malicious files, registry keys, and running processes. Execution showed
successful removal.

4. Task 3: Encryption, Obfuscation & Steganography

Legitimate Encryption Use

VeraCrypt was found installed on the system. Web history showed visits to VeraCrypt
documentation. This indicates legitimate usage by the Print4U staff. However, recent tabs and presence
of wallet -related searches suggest the attacker attempted to access encrypted personal data.

Malware Obfuscation

[Link] uses multiple anti-analysis methods:

• Time delays and infinite loops


• Timestamp altered to 1995 (timestomping)
• DLL injection via low-level APIs in [Link]

3
Steganography Use

Web history included Steghide tutorials. Investigation revealed .wav files in Myles' music folder.
Stegseek flagged one .wav as containing hidden data.

• [Link] was used to brute-force password: Liverpool


• Extracted .odt file contained hacker notes
• File scanned via VirusTotal; no further hidden data found

These methods show a deliberate attempt to hide, obfuscate, and anonymize attacker actions.

5. Conclusion

The forensic analysis of Printing4U's compromised machine uncovered a targeted cyberattack involving
credential brute-forcing, DLL injection, and persistent malware. Despite anti-forensic measures like
timestomping, code obfuscation, and VPN usage, the attacker’s activities were traceable through
memory dumps, file system artifacts, and behavioral patterns.

Our use of Volatility, Autopsy, IDA Pro, and custom PowerShell tools allowed us to identify and remove
malware, uncover the attack timeline, and extract encrypted steganographic content, thereby enabling
a complete reconstruction of the compromise.

6. References

BusyBox - The Swiss Army Knife of Embedded Linux. (2025). [Link]. [Link]
downloads/[Link]\ Hex-Rays. (2025). IDA Pro. [Link] IT Governance.
(n.d.). Anti-forensics. [Link]
to-defend-against-it\ RickdeJager. (2021). Stegseek. GitHub. [Link]
releases\ VirusTotal. (2025). VirusTotal. [Link] Volatility
Foundation. (2025). Volatility 3.0. GitHub. [Link]

You might also like