CCF20303 – Digital Investigation
Digital Investigation
(CCF20303)
Lab Report 3
Received Date : 29/4/2024.
Submission Date : 15/5/2024
Weightage : 15 %
Semester : February 2024
Lecturer : Dr. Wan Basri Wan Ismail
Instruction to students:
• This is a GROUP assignment.
• Complete this cover sheet and attach it to your assignment (first page).
Student declaration:
I declare that:
• This assignment is my own work
• I understand what is meant by plagiarism
• My lecturer has the right to deduct my marks in the case of the following:
- Late submission
- Any plagiarism found in my assignment.
Name Student ID
FARID ADAM BIN CHE HAMID 012023022108
ALASTER NATHANAEL A/L MARIAPUSPHANATHAN 012022020350
SANGEETHA A/L RAVI 012022020198
Total
MARKS:
1
, CCF20303 – Digital Investigation
Digital Investigation – CCF20303
Session: February 2024
Lab Report 3
(presentation 10%, report 5%)
INSTRUCTIONS:
1. The report must be completed as a written document, written lab report, and lab
exercise during practical class time, with at least ten pages per question.
2. Please use font size 10-12, font type Times New Roman with 1.5 line spacing.
3. Please submit the hard copy of the report during the class session and upload the
softcopy in the eklass portal.
4. Please use the cover page as provided and print in white color.
5. Provide the answer based on the given rubric.
6. Mode: GROUP (3 students)
7. Date of submission: 15/5/2024
** If you have difficulties submitting the assignment according to the date given,
please come and discuss it with me.
2
, CCF20303 – Digital Investigation
TASK A
Scenario:
On April 30th, 2023, the IT security team at a large financial institution received an alert
about suspicious network activity on one of their critical servers. The system administrators
quickly identified that the server was being regularly pinged from an unknown external IP
address.
The IT team decided to capture a memory dump of the affected server using FTK Imager, a
powerful digital forensics tool, to investigate the source and nature of the ping activities.
The memory dump was securely transferred to the incident response team, who initiated a
comprehensive analysis to uncover any potential security breaches or unauthorized network
connections.
The analysis process involved the following steps:
1. Verification:
- The incident response team verified the integrity and authenticity of the memory dump
by comparing the hash values generated during the acquisition process.
- This step ensured that the acquired memory dump was an exact copy of the original
system memory, without any tampering or data loss.
2. Network Activity Analysis:
- Using FTK Imager's advanced capabilities, the analysts carefully examined the memory
dump for any signs of network activity, including open network connections, established
TCP/UDP sessions, and active network interfaces.
- The team focused on identifying the specific processes or services responsible for the
ping activities and their associated network connections.
3. Process Identification:
- The analysts identified and extracted information about all running processes, including
their process IDs, memory usage, and command-line arguments.
- This information helped the team understand the system's state at the time of the memory
capture and pinpoint any processes that might be associated with the suspicious ping
activities.
4. Artifact Extraction:
- The team extracted various artifacts from the memory dump, such as network connection
details, DNS cache entries, and any suspicious log files or event data related to the ping
activities.
- These artifacts provided valuable insights into the nature and potential source of the ping
activities.
5. Correlation and Reporting:
3
Digital Investigation
(CCF20303)
Lab Report 3
Received Date : 29/4/2024.
Submission Date : 15/5/2024
Weightage : 15 %
Semester : February 2024
Lecturer : Dr. Wan Basri Wan Ismail
Instruction to students:
• This is a GROUP assignment.
• Complete this cover sheet and attach it to your assignment (first page).
Student declaration:
I declare that:
• This assignment is my own work
• I understand what is meant by plagiarism
• My lecturer has the right to deduct my marks in the case of the following:
- Late submission
- Any plagiarism found in my assignment.
Name Student ID
FARID ADAM BIN CHE HAMID 012023022108
ALASTER NATHANAEL A/L MARIAPUSPHANATHAN 012022020350
SANGEETHA A/L RAVI 012022020198
Total
MARKS:
1
, CCF20303 – Digital Investigation
Digital Investigation – CCF20303
Session: February 2024
Lab Report 3
(presentation 10%, report 5%)
INSTRUCTIONS:
1. The report must be completed as a written document, written lab report, and lab
exercise during practical class time, with at least ten pages per question.
2. Please use font size 10-12, font type Times New Roman with 1.5 line spacing.
3. Please submit the hard copy of the report during the class session and upload the
softcopy in the eklass portal.
4. Please use the cover page as provided and print in white color.
5. Provide the answer based on the given rubric.
6. Mode: GROUP (3 students)
7. Date of submission: 15/5/2024
** If you have difficulties submitting the assignment according to the date given,
please come and discuss it with me.
2
, CCF20303 – Digital Investigation
TASK A
Scenario:
On April 30th, 2023, the IT security team at a large financial institution received an alert
about suspicious network activity on one of their critical servers. The system administrators
quickly identified that the server was being regularly pinged from an unknown external IP
address.
The IT team decided to capture a memory dump of the affected server using FTK Imager, a
powerful digital forensics tool, to investigate the source and nature of the ping activities.
The memory dump was securely transferred to the incident response team, who initiated a
comprehensive analysis to uncover any potential security breaches or unauthorized network
connections.
The analysis process involved the following steps:
1. Verification:
- The incident response team verified the integrity and authenticity of the memory dump
by comparing the hash values generated during the acquisition process.
- This step ensured that the acquired memory dump was an exact copy of the original
system memory, without any tampering or data loss.
2. Network Activity Analysis:
- Using FTK Imager's advanced capabilities, the analysts carefully examined the memory
dump for any signs of network activity, including open network connections, established
TCP/UDP sessions, and active network interfaces.
- The team focused on identifying the specific processes or services responsible for the
ping activities and their associated network connections.
3. Process Identification:
- The analysts identified and extracted information about all running processes, including
their process IDs, memory usage, and command-line arguments.
- This information helped the team understand the system's state at the time of the memory
capture and pinpoint any processes that might be associated with the suspicious ping
activities.
4. Artifact Extraction:
- The team extracted various artifacts from the memory dump, such as network connection
details, DNS cache entries, and any suspicious log files or event data related to the ping
activities.
- These artifacts provided valuable insights into the nature and potential source of the ping
activities.
5. Correlation and Reporting:
3
