Lab 2: Online-Based Forensics
You recently began a new position as a member of a large manufacturing firm’s computer incident response team (CIRT). Your role is to investigate threats that are identified by the forensic investigators in their forensic analysis of compromised devices.
Your Chief Information Security Officer (CISO) was informed of a campaign affecting others in your industry on July 23, 2015. Upon examination of some of the equipment connected to your corporate network your CIRT has identified two suspicious files. It is your job to put together a write-up for the CISO that discusses your investigation of the following information. The write-up should be approximately 500 words and include screenshots and graphics.
Two suspicious files have been identified:
- Filename: trfg.exe,MD5: 322fcf1b134fef1bae52fbd80a373ede
- Filename: furjhf83.jar, MD5: 856de08a947a40e00ea7ed66b8e02c53
Based on the tools I discussed in the lecture please address the following questions. Note: You are NOT allowed to collaborate on this lab.
- When were these files first identified in the wild?
- Have these files been used recently?
- Based on the time period that they were discovered now and from the data you have found online, can we say anything about the threat actors that we may be dealing with?
- Are these two files related to each other?
- Are these files possibly part of a larger campaign?
- If yes, which ones?
- Are there other files (hashes or filenames) that are related to these two files?
- Can we link any email addresses to the provided files or other files that you have determined to be related to these files?
- Given what you have uncovered, what do you think your next steps should be?