|eForensics Magazine 2019 01 Ransomware Attacks and Investigations PREVIEW UPDATED.pdf|
Let’s kick ransomware out of our lives in 2019! We’re extremely proud to present the first issue of eForensics Magazine of this year – Ransomware attacks and investigations.
In this publication you can find an amazing article “Ransomware in insurance claims” by Alistair Ewing and Jason Bergerson, a paper about Frogo ransomware memory analysis (prepared for you by Paulo Henrique Pereira, the instructor from eForensics’ course – Ransomware Forensics), and some tips for Ransomware Investigations and Incident Response, written by John Fokker from McAfee.
In addition to this you’ll want to check out “Obtaining your Certified Forensic Computer Examiner Certification – Tips and Tricks” by Matt Beers. Our reviewers said that after reading it they felt like going to register for the exams immediately. I’m sure you will have the same feeling! Also, we have for you articles about malicious mail attachments, Windows Live Forensics, Amazon Echo Forensics, a forensic analysis of the Electronic Point Record System and still… that’s not all!
In this issue we also present a part of our course Digital Visual Media Anti–Forensics and Counter Anti–Forensics – in which you can learn about active non-blind tamper detection solutions. Thanks to all authors, reviewers and proofreaders for participating in this project.
Have a nice read!
and the eForensics Magazine Editorial Team
TABLE OF CONTENTS
Ransomware Investigations and Incident Response – Tips
by John Fokker
It was at the end of 2018 when I sat down to write this article on Ransomware, and I can’t help to think about “Operation Bakovia” that took place exactly one year earlier in Romania. Operation Bakovia was the arrest of individuals responsible for spreading CTB-Locker Ransomware. Please enjoy this article where I share some personal experiences from real ransomware investigations and share forensic and prevention tips when faced with ransomware.
Ransomware Attacks in Insurance Claims
by Alistair Ewing and Jason Bergerson
As ransomware attacks become more common and impact global business critical equipment and systems, insurers must educate their clients. Businesses may be underwritten to some degree for business interruption and data loss, but rarely through a dedicated cyber policy. Often a firm will only to start to think about such requirements on the day it happens.
Frogo Ransomware Memory Analysis
by Paulo Henrique Pereira
This article discusses the difficulties encountered in performing the memory analysis of a Windows Server 2008 R2 machine apparently infected by ransomware. A company based in São Paulo called us in a case in which its database server had been infected by malware. The infection, unfortunately, had encrypted the files that contained the client data. There was no backup of these files.
A Forensic Analysis of the Electronic Point Record System
by André Ruschel
The electronic point registration system is a set of computerized equipment and programs with the purpose of electronically recording the entry and exit of employees in companies or institutions. Although the electronic record brings several benefits, some companies can use only one computer program to carry out the journey record and this work comes to show that this record may not always reflect the actual journey of the worker, which has been causing numerous technical and legal discussions.
Malicious Mail Attachments
by HADBI Moussa Benameur
A large proportion of users across cyberspace are not properly trained (or not trained at all) to defend themselves against cyber-threats like phishing/spear-phishing, that’s why cybercriminals mostly deliver their malware through malicious attachments. Also with social engineering techniques, mail messages received seem genuine and their mail attachments may seem clean (documents, spreadsheets, PDFs…), all this may deceive the user and lead him to download the attachment and sadly run the malware! In this article, we will demonstrate different techniques to let you download and safely analyze mail attachments.
Obtaining your Certified Forensic Computer Examiner Certification- Tips and Tricks along the Way
by Matt Beers
The purpose of this article is not to scare you away from trying to get your CFCE, but rather educate the reader of the CFCE program how best to prepare for its process and be successful. I’ll bold little tips and tricks that will help you along the way.
Digital Forensics and the Law
by Doug Carner
The public’s blind faith has been reinforced by television and movies that depict forensic science as being both unlimited and infallible. The reality is that classic forensic practices originated in the field, far from labs and scholars, and was based on unproven assumptions. This stemmed from the need for investigative tools, outpacing the deployment of the peer reviewed science to validate those tools. The end result has been wrongful convictions based upon junk science that has been codified into case law.
Internet of Things: Amazon Echo Forensics
by Rachael Medhurst
Internet of Things (IoT), sometimes referred to as the Internet of Everything, is a network of IP (Internet Protocol) enabled devices; these devices connect to one another and the internet with the aim to bring the users convenience in their everyday lives. Examples of internet enabled devices, otherwise known as ‘things’, range from self-driving cars, smart watches, heart monitors, smart microwaves, smart locks, smart light bulbs, Amazon Echo and many more.
Windows Live Forensics
by Nikhil Singhvi S
This article will put some insight on basic commands and tools that can be used while performing Live Forensic. Data on a system has an order of volatility. Data from the Memory, Swap Space, Network Process and Running System Processes are the most volatile data and will be lost if a system reboots or powers down. The Internet Engineering Task Force (IETF) released a document titled, Guidelines for Evidence Collection and Archiving. It is also known as RFC 3227. This document explains that the collection of evidence should start with the most volatile item and end with the least volatile item.
From eForensics course platform…
by Raahat Devender Singh