Welcome to Asecuritysite.com
  • Home
  • Index
  • Cipher
  • Blogs
  • IP
  • IDS
  • Magic
  • Net
  • Cisco
  • Cyber
  • Test
  • Fun
  • Subj
  • About

Incident Response: Cryptolocker Crime Investigation

[Back] A crime has been suspected around Cryptolocker activity, and the incident response team have captured evidence related to the suspected crime. It is thus your objective to investigate the virtual image, and produce a fair and unbiased report on the findings. The VM image exists within the Napier DFET Cloud in the Production-> Cryptolocker folder (crypto_001, crypto_002, and so on), which also contacts the network trace, which can also be downloaded from [PDF]: here

The analysis should involve analysing the network trace for the connections from the hosts which connected to the host-under-suspicion (HUS). Along with this you should analyse and cross-correlate the activity within the logs on the HUS, and the trace of files left on the system. Evidence should also be gained from the applications which were used within the time window of interest. Please note that all other activity outside this window-of-interest should be ignored.

Marking schedule

The coursework should be submitted via Turnitin, in a PDF format, if possible, on Monday 27 April 2015. It will be marked as follows:

  • Investigation Procedure [20%]. This should outline your procedures for analysing the virtual image.
  • Findings [45%]. This should outline the trail of evidence produced, and the findings from it.
  • Conclusions [20%]. This should reflect the methods you have used in the report, and to assess their strengths and weaknesses, and any observations that you have gained.
  • References/Presentation [15%]. All references must be defined in an APA/Harvard format, and should be integrated in the report.

The report should use the APA/Harvard format for all of the references, and, if possible, should include EVERY reference to material sourced from other places. Also, the report should be up to 20 pages long (where appendices do not count in the page count number).

Marking approach

There are multiple communications within the network trace, some of which have possible malicious intent, and others which are normal non-malicious content. As part of the analysis you should:

  • In the report, define a strict methodology that you would apply in actually undertaking the investigation.
  • Take reasoned judgments as to the nature of the trace of network activity.
  • Where faced with suspect content, try to uncover the root of the evidence, such as cracking cipher codes. The methods tried should be clearly defined in the report.
  • Define the timeline of activity involved in the possible malicious activity.
  • Cross-corroborate the network traces with the system traces that appear on the host system (such as examining system logs, audit logs, and the file attributes), and report on any suspicious activities.

Referencing this page

This site is currently free to use and does not contain any advertisements, but should be properly referenced when used in the dissemination of knowledge, including within blogs, research papers and other related activities. Sample reference forms are given below.

Ref: Buchanan, William J (2025). CSN11123/4 Coursework. Asecuritysite.com. https://asecuritysite.com/csn11123/cw

Bib: @misc{asecuritysite_12382, title = {CSN11123/4 Coursework}, year={2025}, organization = {Asecuritysite.com}, author = {Buchanan, William J}, url = {https://asecuritysite.com/csn11123/cw}, note={Accessed: December 01, 2025}, howpublished={\url{https://asecuritysite.com/csn11123/cw}} }

Licence: This site is intended for the education and advancement of humans, and no rights are given for AI and ML bots to crawl this site. All references to its content must be included.
Follow @billatnapier Tweet Page Tweet #Asecuritysite