Incident Response: Investigation of Crytolocker ( trace analysis with wireshark and windows 2003 server)Module name: Advanced Cloud and Network ForensicsCoursework AssignmentTitle: Incident Response: Investigation of CrytolockerOutline RequirementsA company has reported that there has been some malicious activity within theircompany related to Cryptolocker-type activity. The critical incident response team hasmanaged to get a virtual image of the host under suspicion (HUS), along with othertraces of evidence that could be used for the investigation (this includes both hostactivity on the system and network traces).It is thus your objective to investigate the virtual image, and produce a fair andunbiased report on the findings.The VM image exists in the attachment , which also contains the networktrace, which can also be downloaded from:The analysis should involve analysing the network trace for the connections from thehosts which connected to the host-under-suspicion (HUS). Along with this you shouldanalyse and cross-correlate the activity within the logs on the HUS, and the trace offiles left on the system. Evidence should also be gained from the applications whichwere used within the time window of interest. Please note that all other activity outsidethis window-of-interest should be ignored.Host under suspicion: Production -> Crypto -> Crytpo_001, Crypto_002 ?Marking scheduleThe coursework should be submitted via Turnitin if possible. It willbe marked as follows:? Investigation Procedure [20%]. This should outline your procedures for analysingthe virtual image.? Findings [45%]. This should outline the trail of evidence produced, and thefindings from it.1? Conclusions [20%]. This should reflect the methods you have used in the report,and to assess their strengths and weaknesses, and any observations that you havegained.? References/Presentation [15%]. All references must be defined in an APA/Harvardformat, and should be integrated in the report.The report should use the APA/Harvard format for all of the references, and, ifpossible, should include EVERY reference to material sourced from other places. Also,the report should be up to 20 pages long (where appendices do not count in the pagecount number).Marking approachThere are multiple communications within the network trace, some of which havepossible malicious intent, and others which are normal non-malicious content. As partof the analysis you should:? In the report, define a strict methodology that you would apply in actuallyundertaking the investigation.? Take reasoned judgments as to the nature of the trace of network activity.? Where faced with suspect content, try to uncover the root of the evidence, such ascracking cipher codes. The methods tried should be clearly defined in the report.? Define the timeline of activity involved in the possible malicious activity.? Cross-corroborate the network traces with the system traces that appear on the hostsystem (such as examining system logs, audit logs, and the file attributes), andreport on any suspicious activities.
Welcome to Vision Essays! For over 10 years we have been helping students like you write, research, and generate ideas for their research papers, essays, term papers, dissertations, editing, resumes, and any other type of work your learning institution may assign you.
We can write any paper and have flexible payment plans with a minimum deadline of 6 Hrs.