Be a Better Detective #6

Before I provide to the scenario, I wanted to tell you that I have revamped my website, and I have added free cybersecurity mentoring sessions, so check it out HusamShbib.com!

The Scenario:

A small investment company was recently hit by a ransomware attack that encrypted several critical servers. The internal Incident Response (IR) team began scoping the incident to quickly initiate containment.

Due to budget cuts and limited management vision, the DF/IR teams were understaffed, composed of only a few junior analysts. Even the CISO had only a few years of practical experience in cybersecurity, and refused to contact a third-party incident response vendor despite the severity of the breach…

The environment consisted of both Windows and Linux servers.

The IR team decided to keep the compromised systems powered on but isolated from the network, aiming to capture volatile memory images before any shutdowns occurred, as powering them off would have resulted in the loss of that volatile evidence.

After significant effort, the team successfully acquired full disk and memory images from all affected hosts.

The IR team could not even investigate the images themselves, so they handed over the images to the Digital Forensics Examination (DFE) team for investigation and deeper analysis (as they have the required technical skills) while they focused on recovery and restoration tasks.

During analysis, the DF examiner began investigating the Linux memory dumps using Volatility 3, starting with the psscan plugin to enumerate processes. However, the command repeatedly failed with errors.

The DF examiner remembered that in Linux memory dumps, they need to provide its Linux symbols file.

Thus, the examiner downloaded it and put it in the Volatility folder, but the same error is still showing.

The examiner began to panic, troubleshooting the problem under pressure as the management demanded quick answers.

Here is the task: What went wrong? What was/were the reason(s) that the DF examiner was not able to examine the Linux memory image? How would you tackle this issue?

𝐁𝐞 𝐚 𝐁𝐞𝐭𝐭𝐞𝐫 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐯𝐞. 🕵
Hope such content opened your eyes and make you more aware in such cases ^_^

Cya till the next week ~Hoxed

You can find me on other social medias here. Oh, I also have my MemoryForensic.com website - if you are interested in memory forensics!

💡By the way, if you liked such challenges and topics, you would definitely like my digital forensics coaching program, where we go through a full computer forensic case A-Z with peer review insights and hands-on guidance.

Training Providers’ Partner Links