In this lab, we dive into a comprehensive forensic investigation to analyze an incident involving unauthorized access, encryption of files, and malicious activities on a compromised Linux system. The attacker employed various techniques to infiltrate the system, escalate privileges, maintain persistence, and execute a ransomware-like payload. Our task is to trace the attacker’s steps, uncover critical details about their actions, and understand the tools and methods used during the attack.
The walkthrough will guide you through identifying suspicious files, decrypting encrypted artifacts, analyzing malicious scripts, and uncovering the attacker’s persistence mechanisms. You will also learn how to examine system logs, user activity, and configurations to piece together the sequence of events and answer key investigative questions. This lab will emphasize the importance of understanding Linux persistence tactics, encryption methods, and log analysis in a real-world incident response scenario.
By the end of this lab, you will have developed a deeper understanding of how attackers exploit systems and how forensic techniques can be used to uncover their activities, enabling effective response and remediation.
After mounting the forensic image using the command sudo