Phishing remains one of the most effective attack vectors used by cybercriminals to compromise unsuspecting users. In this forensic investigation, we analyze a disk image acquired from an employee’s system after they fell victim to a fake iPhone giveaway scam. The attacker lured the user into engaging with a fraudulent webpage, which ultimately led to the execution of a malicious payload on the system. As a Security Operations Center (SOC) analyst, your task is to examine the evidence, trace the steps of the compromise, and determine the extent of the attack. This investigation requires analyzing various artifacts stored on the system, including Windows registry hives, messaging applications, browser history, and saved credentials. By leveraging forensic tools such as FTK Image , Autopsy, Registry Explorer, FirefoxPassword, and VirusTotal, we will reconstruct the attack chain and identify how the system was infiltrated. The investigation focuses on key aspects such as identifying system information, uncovering the phishing mechanism, extracting malicious payloads, and analyzing the attacker's infrastructure. Throughout this walkthrough, we will examine how the attacker delivered the malicious document, how it executed code on the victim’s machine, and the techniques used to establish remote access. By carefully analyzing the collected evidence, we aim to uncover crucial details such as the method of compromise, attacker infrastructure, and possible mitigation strategies to prevent similar incidents in the future.
This forensic exercise is crucial for understanding real-world phishing attacks and their impact on endpoint security. The insights gained will help security professi