Forensics Lab

Digital forensic analysis and investigation

Evidence Items

Memory Dump

Verified

WKS-CLIENT-042.dmp 512 MB 2024-12-13 10:45

Disk Image

Verified

system_c_drive.dd 128 GB 2024-12-13 09:30

Network Capture

Verified

capture_2024-12-13.pcap 2.1 GB 2024-12-13 08:00

Malware Sample

Verified

suspicious.exe 1.2 MB 2024-12-13 11:15

Event Logs

Verified

security_logs.evtx 45 MB 2024-12-13 07:00

Memory Dump - WKS-CLIENT-042.dmp

File Size: 512 MB

MD5: d41d8cd98f00b204e9800998ecf8427e

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Acquired By: Sarah Chen

Acquisition Time: 2024-12-13 10:45:22

Related Incident: INC-001

Verification: Hash Verified

Volatility Analysis

Volatility Command

Common Commands:

forensics@semestra:~$ vol.py -f WKS-CLIENT-042.dmp --profile=Win10x64 pslist Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8000c91040 System 4 0 95 563 ------ 0 2024-12-13 08:00:12 UTC+0000 0xfffffa8001d6b040 smss.exe 272 4 2 30 ------ 0 2024-12-13 08:00:12 UTC+0000 0xfffffa8002a5a040 csrss.exe 364 356 9 436 0 0 2024-12-13 08:00:15 UTC+0000 0xfffffa8002b7e040 wininit.exe 412 356 3 78 0 0 2024-12-13 08:00:15 UTC+0000 0xfffffa8002b82040 services.exe 468 412 7 206 0 0 2024-12-13 08:00:16 UTC+0000 0xfffffa8002bbd040 lsass.exe 476 412 7 613 0 0 2024-12-13 08:00:16 UTC+0000 0xfffffa8002dfe040 svchost.exe 600 468 11 352 0 0 2024-12-13 08:00:17 UTC+0000 0xfffffa8003a12040 powershell.exe 2156 1844 8 312 1 0 2024-12-13 10:42:33 UTC+0000 0xfffffa8003b89040 cmd.exe 2408 2156 1 21 1 0 2024-12-13 10:43:15 UTC+0000 0xfffffa8003c91040 suspicious.exe 3124 2408 4 89 1 0 2024-12-13 10:44:02 UTC+0000 Analysis: Suspicious process tree detected └─ powershell.exe (PID 2156) spawned cmd.exe (PID 2408) └─ cmd.exe spawned suspicious.exe (PID 3124) Recommendation: Investigate process 3124 with 'malfind' and 'procdump'

File System Analysis

Mounted Image:

/mnt/evidence/system_c_drive.dd

Path	Size	Modified	Flags
`C:\Users\john.doe\AppData\Local\Temp\suspicious.exe`	1.2 MB	2024-12-13 10:44:02	Malware
`C:\Windows\Temp\payload.ps1`	45 KB	2024-12-13 10:42:15	Suspicious
`C:\Users\john.doe\Documents\report.docx`	125 KB	2024-12-12 14:30:00	Clean
`C:\ProgramData\runtime.dat`	2.5 MB	2024-12-13 10:45:00	Encrypted
`C:\Windows\System32\notepad.exe`	243 KB	2024-11-15 08:00:00	System

Findings: 1 malware file, 2 suspicious files detected. Recommend extracting for further analysis.

PCAP Analysis

2,845 packets

Packet #142 - HTTP POST C2 Communication

192.168.1.42:49532 → 185.220.101.45:443

POST /api/beacon HTTP/1.1 | Size: 2.5 KB | Time: 10:44:15

Packet #98 - DNS Query Suspicious Domain

192.168.1.42:53 → 8.8.8.8:53

Query: malicious-c2-server.com | Type: A | Time: 10:42:08

Packet #67 - HTTPS Benign

192.168.1.42:443 → 142.250.185.46:443

TLS: google.com | Size: 1.2 KB | Time: 10:30:22

Packet #215 - Data Exfiltration Data Exfil

192.168.1.42:52341 → 185.220.101.45:443

HTTPS Upload | Size: 15.2 MB | Time: 10:50:33

Alert: C2 communication and data exfiltration detected to IP 185.220.101.45

Sandbox Analysis Results

File Information

Filename:

suspicious.exe

MD5:

8badf00d1234567890abcdef12345678

SHA256:

a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456

File Type:

PE32 executable (GUI) Intel 80386

VirusTotal:

52/70 engines detected as malicious

Behavior Analysis

Classification:

Trojan.Generic

Capabilities:

Keylogger C2 Beacon Credential Theft

Network Activity:

Connects to 185.220.101.45:443

Persistence:

Registry Run key modification

MITRE ATT&CK Mapping

T1056.001 - Keylogging T1071.001 - C2 Web Protocols T1547.001 - Registry Run Keys T1082 - System Information Discovery

Observed Actions

[10:44:05] Process Created: suspicious.exe (PID 3124) [10:44:06] Registry Modified: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [10:44:08] DNS Query: malicious-c2-server.com [10:44:15] Network Connection: 185.220.101.45:443 (ESTABLISHED) [10:44:22] File Created: C:\ProgramData\runtime.dat [10:44:30] Process Injection: Attempt to inject into explorer.exe [10:50:33] Data Upload: 15.2 MB to 185.220.101.45

Verdict: Confirmed malware - Trojan with keylogging, C2, and data exfiltration capabilities

Evidence Chain of Custody

Evidence Acquired 2024-12-13 10:45:22

By: Sarah Chen (Incident Response Analyst)

Method: FTK Imager memory dump

Location: WKS-CLIENT-042, Office Building A, Floor 3

Hash Verification 2024-12-13 10:50:15

By: Sarah Chen

MD5: d41d8cd98f00b204e9800998ecf8427e

Status: Verified

Transferred to Forensics Lab 2024-12-13 11:00:00

From: Sarah Chen

To: Mike Johnson (Forensic Analyst)

Method: Encrypted USB transfer, hand-delivered

Analysis Initiated 2024-12-13 11:15:30

By: Mike Johnson

Tool: Volatility Framework 2.6.1

Workstation: FORENSICS-WS-01 (isolated network)

Forensics Lab

Evidence Items

Memory Dump - WKS-CLIENT-042.dmp

Volatility Analysis

File System Analysis

PCAP Analysis

Sandbox Analysis Results

File Information

Behavior Analysis

MITRE ATT&CK Mapping

Observed Actions

Evidence Chain of Custody

Upload Evidence

New Forensic Case