COM6016: Cyber Threat Hunting and Digital Forensics
Forensics Case Study Assessment , October 2024
Submission Deadline: 15:00 on Monday, 16th December 2024
This assignment is worth 60% of the module mark. This assignment is made up of four different parts. You are required to answer all the questions below. All answers must be supported with adequate academic references.
The document should be formatted using 12 point font size. The maximum number of pages for this assignment should not exceed 12 pages.
PART 1 [20%]
Sarah, a long-time employee at Spark Toys, was recently passed over for a promotion, leading to a decline in her morale. Shortly after, a significant data breach occurred, compromising sensitive company and customer information.
Due to performance issues and suspected misconduct, Sarah was suspended and is currently under internal investigation for sending offensive messages. Her company-issued laptop has been seized and a memory image acquired as part of the investigation.
Recent news indicates that Sarah has resigned from Spark Toys and accepted a position at a direct competitor. It is suspected she might have been involved with the data breach.
Using your knowledge of Digital Forensics and the Digital Forensics process, describe how you would approach this case. You should ensure to discuss relevant information that could be retrieved from the memory of the device showing evidence of how this might be retrieved.
PART 2 [45%]
Xaiver is a staff member of CR BioTech, a company based in London at the forefront of cutting edge treatments for the flu.
Xaiver is suspected of stealing chemicals and customer data from CR BioTech. She has also recently become a person of interest in an ongoing INTERPOL case involving the international export and sale of counterfeit cat flu medication. The counterfeit medication has been known to cause ‘gingivitis’ (inflammation of the mouth) and ulcers within three weeks of completing the suggested doses.
Yusuf, one of Xaiver’s suspected accomplices who is now in custody, has suggested that the duo have made over £600,000 in sales of the counterfeit drug to more than 12 countries this year.
Xaiver has been arrested and two USB drives have been retrieved from her. The disk images of the USB drives have been made available to you - USB1.E01 and USB2.E01 (attached on blackboard and also provided to you on the forensics laptop).
Assume you work for PRISM forensics, an organisation providing forensics, first respondents and incident response services to various regional Police units and INTERPOL.
You are required to write a maximum of a 5 page forensics report explaining how you went about your investigation and highlighting potential pieces of evidence that suggest that Xaiver was or was not involved in selling and exporting counterfeit drugs.
PART 3 [15%]
BridgePay, is a digital escrow payments service based in the UK. Their core application consists of a web application and SQL database hosted on various Ubuntu 18 servers.
From the web front-end, staff of BridgePay can access an administrator-only area where they can view transactions made by customers. The web-based front-end
and the mobile app can also be accessed by customers (buyers and sellers) using a web browser.
On the 3rd of June 2024, the company went through a security audit and it was identified that some of its applications are vulnerable to
● CWE-434: Unrestricted Upload of File with Dangerous Type
● CWE-78: Improper Neutralisation of Special Elements used in an OS Command ('OS Command Injection')
● CWE-918: Server-Side Request Forgery (SSRF)
On the 19th of October 2024, at 3pm, the company received an email from a third party claiming to have accessed its IT network and downloaded its customer's data requesting for a payment in bitcoin within three days to avoid public release of the data.
Assume, you work for BridgePay as an incident response and forensics analyst, explain how you would go about handling this incident to ensure digital evidence is captured,forensics integrity is maintained and the business operations suffer minimal impact.
PART 4 [20%]
Your colleague, an IT administrator, suspects there is some suspicious activity going on, you have been provided a network capture. Using your knowledge of cybersecurity and network forensics, you are required to analyse the PCAP file 2024_part_4.pcapng and suggest what you think might be going on in the network packet sequence.