Malware Infection Scenario:

In this assignment, you are required to conduct a root cause analysis based on the Malware infection scenario and prepare a research work for different steps under cyber forensic investigation subject for data collection, analysis, and documentation of findings. You are strongly encouraged to design the standard procedure for data acquisition and analysis along with the use of proper tool for the given assumptions.

Deliverables for Task 1:

You work as incident handler under the incident response team in Exabytes Sdn.Bhd. Recently you have been receiving tons of reports on network components such as host machines malfunctioning. The report highlighted a number of apprehensive characteristics and behaviours such as auto-run tasks, restarting frequently, unknown files found on computers, issues for running multiple processes simultaneously and etc. They send a request to the incident response team to investigate and find the root of the problem. A while later your team decided to conduct a root caused analysis to find what is the origin of the issue and generate a report on the discussed matter. A very initial step is to identify evidence for malware infection and analyse gathered evidence to report on the findings of the incident.

Given that, you require to discuss the following questions:

1. first responder, discuss in detail the procedures and steps taken when handling the incident. Your discussion should also include the different groups of first responders and the first response rule should a first responder observe. Your answer should relate to the case study.
2. Discuss in detail the plan or strategy to conduct data acquisition based on the incident reported by Exabytes Sdn. Bhd. and provide examples of any relevant tools or techniques or applications that can be used.
3. Assume that you have acquired the HDD image file and memory dump of the infected machine. Discuss what are the tools that can be used to analyse these files and explain the available commands use to:
4. Extract the list of processes that are running on the victim machine.
5. Identify any hidden or infected processes if any.

• Identify the list of handles that belong to suspicious processes.

Extract any command that an attacker might have typed/entered or executed in the system.

One of the suspicious processes is identified as “secret.paint”. Explain in detail how to extract this file and how to open the file (give example of application that can be used to view the file).

Hint: Explain what tool to create the report (e.g. FTKImager, Encase and etc.), and methods/tools (e.g. Forensic Image file creation tool under Data collection and etc.).

Please include screenshots of commands suggested in each question. You can use any RAM image file or HDD image file (from lab session).