Scenario
It’s Friday at 5pm, you are packing up your desk for the weekend when suddenly your phone rings. “Hello, DFIR consulting” you reply.
The voice on the other end sounds panicked. They inform you that one of their machines appears to be compromised and that it held critical data for their company. They are very concerned about the data being stolen as they are set to IPO in just 2 weeks.
They insist on you looking at their system ASAP and have already gone through the trouble of taking a memory dump and collecting a listing of open ports and processes running. Their IT administrator has also provided you with a forensic e01 image of the system.
Scoping Call Notes
- AV was installed but the user had the C:\ drive set as an exception
- No Firewall or IDS logs available
- The user noticed a strange network connection when running netstat on May 17 2019
- Customer is especially concerned with data exfiltration
- Windows 10 OS
- Law enforcement has not been notified
Goals
- Identify how the attacker got in
- Identify the attackers IP address and ports used for communication
- Identify if any data was exfiltrated
- Identify if persistence was established
Submit your answers to brokenbit.io @ protonmail.com