Securing Digital Evidence

Securing Digital Evidence

Part I: Local Operating System Exploitation

The steps a malicious user would take to use fgdump to capture the passwords on a system

The fgdump is a tool used to extract NTLM and LanMan password hashes from Windows computer systems. It has been identified as a more powerful tool than the pwdump6 because it can hang whenever it notices the presence of an antivirus. Therefore, the fgdump device can handle this problem of turning through the immediate initiation of the machine’s shutting down process (Afreen et al., 2020). Therefore, upon restarting the antivirus software, it fosters multi-threading, which is vital for enhancing multitasking and a multi-user environment (Afreen et al., 2020). Furthermore, this tool is composed of all the functionalities of the pwdump, including but not limited to grabbing credentials, executing remote data, and offering protection to dumped information on a remote host.

The fgdump tool follows various steps to capture the passwords on a system. The first step is that the device is bound to the remote machine through an inter-process communication system. This is followed by hindering the audiovisual from operating if it had been initially installed in the system. The third step is that the tool will initiate locating the file shares exposed on the Windows machine and identifying a writeable share from the recognized list (Pektaş et al., 2019). The sixth step is uploading the cache dump, followed by running the pwdump, cache dump, and pstdump, respectively. The eighth step would entail deleting the uploaded files from the list of shared documents. The remote file list is then unbounded, and the audiovisual is restarted if it had been running initially (Pektaş et al., 2019). The final step is unbinding the inter-process communication system to prevent any user from identifying that the passwords were captured from the system.

How a user can use a password look-up site to find a password from a hash

A user can find the password from a hash through a hash-Identifier. The user will first be required to download and install the hash-Identifier on the Windows system. The user can then open the terminal window of the Python script and run the command Is, which will execute all the contents on the list (Pinkas et al., 2022). The user should then proceed to fingerprint all the unknown hashes. The user can then settle on one of the hashes to crack (Pinkas et al., 2022). This step can then be followed by looking up the hashcat hash modes by running the hash through the hash identifier. Therefore, comparing the responses from the hash-cat website can assure the user that he has found the correct password from the hash.

Part 2: Static and Dynamic Malware Analysis

Detecting Malware

The procedure for detecting malware on a Windows computer is comprised of nine easy steps. The first step is that an individual should ensure that the computer has an active internet connection. One can then log in on the sysinternals.com website and download both the process explorer and autoruns free of charge. The next step is to unzip both of the programs; for the process explorer, one should use the procexp.exe, while for the autoruns, the autoruns.exe program should be used (Aslan et al., 2020). After this, one can right-click and run the plan as an administrator. One should first begin with the explorer, select VirusTotals.com, and Check VirusTotals.com (Aslan et al., 2020). The selection of these options will ensure that all executables are submitted to the VirusTotal website. Upon receiving the pop-up message requesting one to accept the license, one should press the yes button. After this, one can then close the VirusTotal website and run the process explorer, which will detect malware in ratio format such as 0/67 or 16/66.

Malware Analysis

Malware analysis refers to understanding the behavior and role of a suspicious file or URL. The results of this evaluation aid in the detection and mitigation of potential threats. The utilization of deep behavioral analysis and identification of shared codes and infrastructure makes detecting threats an easy task to execute. Furthermore, the detection of malware in a system entails the identification of exposure behavior and artifacts that possible hackers can utilize in accessing a particular network connection used by an organization (Chakkaravarthy et al., 2019). Therefore, by searching the firewall or proxy logs, the IT expert can quickly locate the presence of these threats on the network.

The various stages of malware analysis identify the multiple types of malware within the system. For instance, interactive behavior analysis determines the malware’s registry, file system, process, and network functionalities. Additionally, the static properties analysis can gather information relating to the malware’s code, header details, hashes, and embedded resources. This information can then be utilized for in-depth investigation using other comprehensive techniques (Chakkaravarthy et al., 2019). Finally, the fully automated analysis can be used to identify potential repercussions if the malware had been permitted to gain access to the network.

Ransomware has been identified as the fastest-growing malware threat that will bring about multiple problems in the future. Ransomware is a form of malware that encrypts files on a network. Therefore, once the essential files within the organization have been encrypted, the hacker demands significant payment for him to relinquish the key for decrypting the files for easy access and possible utilization (Chakkaravarthy et al., 2019). In most cases, the hackers have been demanding a ransom of between $1,000 and $20,000. This kind of security threat can infect many devices running from computers, tablets, and even smartphones. However, paying the requested amount by the hacker does not guarantee that the information on the files will be accessed without any errors or that the hacker will send the decryption key.

References

Afreen, A., Aslam, M., & Ahmed, S. (2020, October). Analysis of Fileless Malware and its Evasive Behavior. In 2020 International Conference on Cyber Warfare and Security (ICCWS) (pp. 1-8). IEEE. Retrieved on 13^th April 2022, from https://ieeexplore.ieee.org/abstract/document/9292376/

Aslan, Ö. A., & Samet, R. (2020). A comprehensive review of malware detection approaches. IEEE Access, 8, 6249-6271. Retrieved on 13^th April 2022, from https://ieeexplore.ieee.org/iel7/6287639/8948470/08949524.pdf

Chakkaravarthy, S. S., Sangeetha, D., & Vaidehi, V. (2019). A survey on malware analysis and mitigation techniques. Computer Science Review, 32, 1-23. Retrieved on 13^th April 2022, from https://www.sciencedirect.com/science/article/pii/S1574013718301114

Pektaş, A., & Başaranoğlu, E. (2019). Practical Approach for Securing Windows Environment: Attack Vectors and Countermeasures. International Journal of Network Security & Its Applications (IJNSA) Vol, 9.

Pinkas, M. N. B., & Ronen, E. How to (not) Share a Password: Privacy preserving protocols for finding. Retrieved on 13^th April 2022, from http://www.wisdom.weizmann.ac.il/~/eyalro/pdf/How%20to%20%28not%29%20Share%20a%20Password%20-%20RWC%20-%2009012019.pdf

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

Securing Digital Evidence

Part 1: Local Operating System Exploitation
1) Detail the steps a malicious user would take to use fgdump to capture the passwords on a system.
2) Detail how a user can use a password look-up site to find a password from a hash.
Part 2: Static and Dynamic Malware Analysis
1) In a paragraph, explain the procedures for detecting malware.
2) Based on the Incident Response Playbook, personal experience, and any additional resources online, develop three paragraphs describing the malware analysis portion of the forensic analyst portion of the playbook. The paragraphs should include detection, identification, and analysis of possible future malware discoveries.