Case Study: Forensic Analysis of Security Incident


The company Invent SL, which has offices in Australia, Italy and Spain, has suffered a security incident in each one of them.

Headquarters in Australia

On the one hand, at the headquarters in Australia, the leakage of sensitive information from several of its employees (email addresses and passwords) has been detected. The affected set indicates that they received a suspicious email campaign with similar HTML attachments to the Office 365 portal during the last days. This company does not have (2FA) authentication factor in two steps, so an attacker could access corporate mail and other types of public applications on the Internet hosted by Microsoft. Since there are more than 10,000 employees in the company, it is not possible to reset and block all accounts for reasons of business continuity, so it is necessary to locate only those affected.

Headquarters in Italy

On the other hand, in Italy there has been an unauthorized access to one of its accounting servers. This access has been detected through a periodic review by the IT team. In this case, the team plans to hire an external provider to take charge of this incident.

Headquarters in Spain

Finally, at the headquarters in Spain, an attack was detected on one of the servers of its textile factory. All files on the server have been encrypted with the extension “.NM4”. These computers were patched against MS17-010.

Since we are part of the incident response team of the company, our mission is to discover what has happened in each of the situations that arise .

For this, the IT team has provided us with the following evidences:

  • Australia: Navigation proxy traffic logs in the date range in which the incident occurred.
  • Italy: no position that will be handled by an external provider.
  • Spain: status of open ports in the system and part of the rescue message.

It is requested

Before analyzing the evidence:

  • What type of threat has impacted the Australian headquarters? (0,5p)
  • What type of threat has impacted the headquarters of Madrid? (0.25p)
  • What risk exists for an entity when a leak of information occurs as described in the incident in Australia? (0.75p)

About the incident in Italy:

  • Should the equipment be disconnected from the network for analysis? (0.2p)
  • What hardware part of the server should be cloned / dump before turning off the computer? (0,1p)
  • By what known command would the cloning of the hard disk be performed? Write an example of execution. (0.2p)
  • What should be calculated after cloning the disk to verify its integrity? (0,1p)
  • Briefly describe the chain of custody that must be followed for the transfer of evidence to the external provider (max 15 lines) (0.4p)

Analyze the evidence provided for the Australian headquarters:

  • Generate a script to parse the traffic capture facilitated, so that it shows the final result by command line. (2 P)
  • What user email addresses have been affected? A manual analysis can be carried out if the previous section has not been achieved. (1,5p)

Analyze the evidence provided for the Madrid headquarters:

  • How does this type of threat work? (max 5 lines) (1p)
  • Could the data be recovered today? (0.25p)
  • What has been the input vector used by this threat? (Use the evidence spain.jpg) (0.75p)
  • Implement countermeasures for the Australian headquarters so that this type of incident does not happen again. (1 p)
  • Implement countermeasures for the Madrid headquarters in order to avoid repeating this type of incident. (1 p)
  • It is not necessary to complicate (it is simpler than you think).
  • Not everything is in the agenda, you have to look for some concepts in other sources (work done by any analyst).
  • The URLs contained in the rescue message from Spain (spain_recover_files_message.png) are not relevant and therefore it is not advisable to access them, since it poses a risk to the student’s team.