Helen Frey

Today, digital devices are more and more present in illegal activities and it is the job of the forensic investigators to find the trail of digital fingerprints, via artefacts and metadata, in these devices to establish whether it was in fact used in a crime. Cyber-crime takes many forms from ransomware to destruction of property. The purpose of this project is to establish a timeline of events that occurred on two hard drives that have had attacks of some sort perpetrated on them. 

Timelines represent a visual form of chronological events that link the metadata of an event within a computer to an event in the “real world”

A test-bed was created to enable a third-party cyber-security expert to launch an attack to simulate the compromised hard drives.

The investigation took place on both a Linux and a Windows operating system and metadata were found on both that indicated an attack had taken place. This metadata was extracted, analysed, and correlated to create a timeline of events. It was found that an initial breach was by a Camaleon Trojan. This was followed by HTTP Remote, Shell-code Binding, CSRF and Alchemy exploits on the Linux machine. The MsAsDesc Trojan allowed for activity to be monitored and recorded. Access Control Lists permitted privilege escalation and new users were added with Root privilege. The Windows computer was accessed, files were deleted, folders were created, populated and then exfiltrated and the web server was also compromised.