In this lab, you are tasked with investigating a suspected malware infection that has impacted multiple endpoints within an organization. As a member of the Digital Forensics and Incident Response (DFIR) team at SecuTech, your primary objective is to analyze a memory image obtained from one of the compromised systems. Preliminary alerts indicate that the infection may have propagated via removable storage devices, raising concerns about data exfiltration and malware deployment.
The investigation focuses on identifying traces of malicious activity, uncovering artifacts related to USB device usage, and examining evidence of defense evasion techniques. Additionally, you will analyze malware execution flows, assess dropped files, and establish connections to potential command-and-control (C&C) infrastructures. Through this process, you will leverage forensic tools, including MemProcFS, EvtxECmd, and Timeline Explorer, to extract and interpret data from memory dumps and event logs.
This lab provides hands-on experience with identifying Indicators of Compromise (IOCs) and tracing malware behavior, enabling you to link activities to specific Advanced Persistent Threat (APT) groups. By the end of this investigation, you will have reconstructed the malware's timeline, evaluated its execution methods, and mapped its connections to known threat actors, preparing you to respond effectively to similar incidents in real-world scenarios.