Forensic analysis & malware removal

Lab activities

The "Network Security 2" exam involved many interesting practical activities where groups of students engaged in a kind of role-playing game simulating attack/defense scenarios, sometimes against each other.

These are the two main activities I worked on.


Pre-forensics scenario setup

I prepared a virtual machine that would be subsequently analyzed (with forensic tools) by another group, which woudl try to establish what happened on the system.

I created a scenario in which a malicious attacker, LadyNastenka, had tricked the VM owner to visit a website configured to exploit an Internet Explorer vulnerability. Such exploitation installed a clandestine FTP server onto the victim system, making him an unaware distributor of illicit content.

I purposely left enough some (but not too many) traces to be found, so that it could be possible (but challenging) to exonerate the owner of the compromised system via forensic analysis.

essay

Malware Analysis & Removal Tool

I was given a virtual machine to analyze. Such VM was infected by a toy-malware programmed by another group.

The essay shows dynamic and static analysis of the malware, and the creation of a simple removal tool.

Even if the faced scenario is pretty simple, many of the principles and techniques discussed are of general validity.

essay presentation slides