Our Scenarios

Guilty Or Not Guilty 2

Digital forensics job

Detailed Description

You are applying for a new Job in digital forensics tend to have titles like "investigator," "technician" or "analyst," depending on your level of seniority and specialization. The majority of these jobs in the digital forensics field lie in the public sector — in law enforcement, for state or national agencies, or for crime labs, though the latter might be privately run and contract with public agencies. In the interview application the examiner committee asked you “ How digital forensics is used in investigations? “ And as you answered that “ There are a number of process models for digital forensics, which define how forensics examiners should proceed in their quest to gather and understand evidence. While these can vary, most processes follow four basic steps: Collection, in which digital evidence is acquired. Examination, in which various methods are used to identify and extract data. Analysis, in which the data that's been gathered is used to prove (or disprove!) the case being built by examiners. For each relevant data item, examiners will answer the basic questions about it who created it? who edited it? how was it created? when did this all happen? — and attempt to determine how it relates to the case. Finally Reporting, in which the data and analysis are synthesized into a format that can be understood by laypeople. Then the committee offers to you this memory image named evd.mem Asked you to use the right tool to investigate and answer these questions:

  1. Which libraries have been infected by malware,
  2. Which services that were running on the system have been compromised by malware,
  3. If connections were made with the internet service.

Technical Description

The scenario contain a windows 7 machine with the Volatility setup. The forensic images ie evd.mem and Volatility are stored on the Desktop.

Expected Outcome

Your task is to make a simple chain of custody of these images. Since you have no prior information about the image you must use the suitable command to check what is the suggested profile for each image.