Incident Response: Investigation of Crytolocker ( trace analysis with wireshark and windows 2003 server)

Project description
A company has reported that there has been some malicious activity within their
company related to Cryptolocker-type activity. The critical incident response team has
managed to get a virtual image of the host under suspicion (HUS), along with other
traces of evidence that could be used for the investigation (this includes both host
activity on the system and network traces).

It is thus your objective to investigate the virtual image, and produce a fair and
unbiased report on the findings.

The VM image exists in the attachment , which also contains the network
trace, which can also be downloaded from:

The analysis should involve analysing the network trace for the connections from the
hosts which connected to the host-under-suspicion (HUS). Along with this you should
analyse and cross-correlate the activity within the logs on the HUS, and the trace of
files left on the system. Evidence should also be gained from the applications which
were used within the time window of interest. Please note that all other activity outside
this window-of-interest should be ignored.

Host under suspicion: Production -> Crypto -> Crytpo_001, Crypto_002

Use the order calculator below and get started! Contact our live support team for any assistance or inquiry.