Open in app

Sign in

Write

Sign in

Learn Defensive Security by using digital forensics in an investigation and applying security operations to stop a live cyber attack. Intro to Digital Forensics Room | Security Operations Room

Cyber Rey
5 min readFeb 15, 2024

Intro to Digital Forensics TryhackMe Walkthrough

Learn about digital forensics and related processes and experiment with a practical example.

Task 1: Introduction To Digital Forensics

Digital forensics is the application of science to investigate crimes and establish facts related to digital devices and media. It involves collecting digital evidence from devices like smartphones and laptops, transferring the evidence following specific procedures, and analyzing the collected data.

Digital forensics is used in both:

  • public-sector investigations by government and law enforcement agencies, as well as
  • private-sector investigations by corporate bodies.

Without trained digital forensics investigators, processing digital evidence properly would not be possible.

Consider the desk in the photo above. In addition to the smartphone, camera, and SD cards, what would be interesting for digital forensics?

Task 2: Digital Forensics Process

As a digital forensics investigator, after obtaining legal authorization, the basic plan is to:

  • acquire digital devices,
  • establish a chain of custody,
  • place the evidence in a secure container, and
  • transport it to the lab.

At the lab,

  • retrieve the evidence from the secure container,
  • create a forensic copy,
  • Return the digital evidence to the secure container, and
  • start processing it.

More generally, according to the former director of the Defense Computer Forensics Laboratory, Ken Zatyko, digital forensics includes:

  • proper search authority,
  • chain of custody,
  • validation with mathematics,
  • use of validated tools,
  • repeatability, and
  • reporting.

These steps ensure that the evidence is handled properly and the investigation is conducted in a thorough and reliable manner.

It is essential to keep track of who is handling it at any point in time to ensure that evidence is admissible in the court of law. What is the name of the documentation that would help establish that?

Task 3: Practical Example of Digital Forensics

Everything we do on our digital devices, from smartphones to computers, leaves traces. Let’s see how we can use this in the subsequent investigation.

Our cat, Gado, has been kidnapped. The kidnapper has sent us a document with their requests in MS Word Document format. We have converted the document to PDF format and extracted the image from the MS Word file for your convenience.

  • Download the attached file to your local machine for inspection; or use the TryHackMe AttackBox
  • Change to the directory containing the case files using the terminal: /root/Rooms/introdigitalforensic
  • Use ls to list the files in the directory

Metadata Forensic Tools:

pdfinfo: used to read a PDF file’s metadata such as title, subject, author, creator, and creation date.
→ It can be Installed using: sudo apt install poppler-utils
Command to use pdfinfo = pdfinfo DOCUMENT.pdf

exiftool: used to read and write metadata in various file types, such as JPEG images.
→ It can be Installed using: sudo apt install libimage-exiftool-perl.
Command to use exiftool = exiftool IMAGE.jpg

Using pdfinfo, find out the author of the attached PDF file.

command = pdfinfo ransom-letter.pdf

Using exiftool or any similar tool, try to find where the kidnappers took the image they attached to their document. What is the name of the street?

command = exiftool letter-image.jpg

What is the model name of the camera used to take this photo?

Security Operations TryhackMe Walkthrough

💡 Learn about Security Operations Center (SOC): its responsibilities, services, and data sources.

Task 1: Introduction to Security Operations

A Security Operations Center (SOC) is a team of IT security professionals responsible for monitoring a company’s network and systems 24/7.

Their main tasks include:

  • finding vulnerabilities,
  • detecting unauthorized activity,
  • discovering policy violations,
  • detecting intrusions, and
  • supporting incident response.

The SOC’s role is crucial in maintaining the security of the entire company.

What does SOC stand for?

How many hours a day does the SOC monitor the network?

Task 2: Elements of Security Operations

Data Sources

The SOC relies on various data sources such as server logs, DNS activity, firewall logs, and DHCP logs to monitor the network for intrusions and malicious behavior. These data sources provide information about activities, domain name resolutions, network packet control, and device network settings. The SOC also uses a Security Information and Event Management (SIEM) system to aggregate data for efficient correlation and response to attacks.

SOC services

SOC services include reactive and proactive services in addition to other services.

Reactive services refer to the tasks initiated after detecting an intrusion or a malicious event. Example reactive services include:

  • monitoring security posture,
  • vulnerability management,
  • malware analysis,
  • intrusion detection, and
  • reporting.

Proactive services refer to the tasks handled by the SOC without any indicator of an intrusion. Example proactive services carried out by the SOC include:

  • Network security monitoring (NSM)
  • Threat hunting, and
  • Threat intelligence
  • Additionally, the SOC provides cyber security training to raise users’ security awareness and prevent data breaches.

Task 3: Practical Example of SOC

A firewall is used to prevent ongoing attacks by inspecting network packets entering and leaving a network or system. It examines:

  • Source and destination IP addresses: which are like postal addresses for communication over the Internet, and
  • Source and destination port numbers: which are like room numbers for programs to communicate over the network.

A firewall rule might be similar to the following:

Click on “View Site” to begin the simulation. As a member of the SOC team, while monitoring the network and systems, you notice one malicious IP address attacking one of the company’s computers. It seems that they are targeting many destination ports with malicious packets. It seems best if we block them at the firewall level.

Add the necessary firewall rules to block the ongoing attack. What is the flag that you have received after successfully stopping the attack?

Digital Forensics
Security Operations
Security Operation Center
Soc
Tryhackme Walkthrough

--

--

Cyber Rey

Written by Cyber Rey

18 Followers

Technophile | Woman in Cybersecurity | Cybersecurity Awareness Advocate!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams