Scenario
It’s Monday morning and you are just finishing your second cup of coffee. Your mind wanders and thinks back to your fun weekend of hiking the Rocky mountains with your friends. Suddenly, you are jolted back to the present as your phone rings on your desk.
“Hello, DFIR consulting, how may I help you?” you respond. The voice on the other end sounds a bit agitated. “Yeah, this is John from Arm Chair QB inc, we have an employee who apparently was downloading pirated movies and now his machine is acting weird. We can’t figure out whats wrong with it, can you help?”
Scoping Call Notes
- Odd behavior noticed on June 5th 2019
- The user said that they turned off antivirus so they could watch pirated movies
- No Firewall or IDS logs available
- The customer performed a disk image as well as a collection of volatile data
- The user admitted they were browsing Torrent sites trying to download John Wick Chapter 3
- Law enforcement has not been notified
- Windows 10 OS
Goals
- Identify how the attacker got in
- Identify the attackers IP address and ports used for communication
- Identify if any data was exfiltrated
- Identify if persistence was established
Submit your answers to brokenbit.io @ protonmail.com