You have been assigned as part of the Computer Security Incident Response Team (CSIRT) at MedSure Health Systems. The SOC has flagged suspicious outbound connections from a workstation belonging to Dr. Salma Rahman, a clinical data analyst. These connections appear to be directed toward an unknown external IP address (203.0.113.77), raising concerns of unauthorized data exfiltration. In this assignment, your task is to mimic a real-world investigation by preparing professional forensic documentation, analyzing network evidence, and drawing conclusions about the possible attack. You will apply the forensic methodologies covered in In-classes and lab sessions, supported by Guide to Computer Forensics and Investigations, 6th Edition (Nelson & Phillips).
Investigating Unauthorized Data Exfiltration at MedSure Health Systems
Description for Students
You have been assigned as part of the Computer Security Incident Response Team (CSIRT) at MedSureHealth Systems. The SOC has flagged suspicious outbound connections from a workstation belonging to Dr. Aisha Rahman, a clinical data analyst. These connections appear to be directed toward an unknown external IP address (203.0.113.77), raising concerns of unauthorized data exfiltration.
In this assignment, your task is to mimic a real-world investigation by preparing professional forensic documentation, analyzing network evidence, and drawing conclusions about the possible attack. You will apply the forensic methodologies covered in In-classes and lab sessions, supported by Guide to Computer Forensics and Investigations, 6th Edition (Nelson & Phillips).
Incident Timeline
1.Monday, 09:05 am SOC detects an unusual spike in outbound traffic from Dr. Rahmans workstation to 203.0.113.77 over port 443 (HTTPS). 2. Monday, 09:45 am Firewall logs reveal multiple failed login attempts followed by a successful remote login from an IP address registered in South America. 3.Monday, 10:30 am IDS triggers alerts suggesting possible large encrypted file transfers leaving the network. 4. Monday, 12:15 pm Endpoint security detects a suspicious executable running under Dr. Rahmans user profile. 5. Monday, 01:00 pm CSIRT activates full forensic investigation, beginning with containment and evidence preservation.
Assignment Questions
Question 1:
Prepare a Chain of Custody Form for the evidence collected in this investigation. Include the following:
Description of each evidence item (e.g., workstation hard drive, firewall logs, IDS alerts).
Methods used to preserve the evidence (e.g., imaging, hashing).
Documentation steps to maintain integrity.
(Hint refer to: (Nelson & Phillips, Ch. 2 & 4): Review procedures for evidence handling and digital evidence integrity.
Question 2:
Utilize various network forensic tools such as tcpdump, Wireshark, and NetworkMinerto simulate and analyze the captured network traffic.
Note: Document your findings and insights regarding the potential attacks, the behavior of the network during the incident, and any evidence that indicates data exfiltration or malicious activity. Include a detailed Incident Timeline to support your analysis
–> Hint (for students): Complete all steps outlined in Session 11 to effectively analyze the scenario and use the tools (Tcpdump, Wireshark, and NetworkMiner) for the simulation.
Question 3:
a) What network traffic patterns or anomalies would indicate potential data exfiltration? Discuss the key metrics and signs to look for in your analysis.
b) Discuss how attackers may try to disguise these patterns (e.g., tunneling through HTTPS, using legitimate cloud services).
for (b) Hint refer to: (Ch. 8): Look for discussion on covert channels and how abnormal traffic volumes or destinations stand out during analysis.
Question 4:
Reflecting on the MedSure case, write a short essay (approx. 500 words) discussing:
Key lessons learned in detecting and investigating insider or external-driven threats.
Importance of timely containment and responsein healthcare data breaches.
How forensic tools complemented threat intelligence analysis in this case.
Recommendations to prevent recurrence (technical + policy-based).
–> Hint refer to: (Ch. 13 & Case Studies): Consider how lessons learned feed back into strengthening the organizations incident response plan.
Expected Deliverables
Primary Report (PDF) Include Chain of Custody, analysis, answers to all questions, and final reflections. Name file: StudentName_StudentID.pdf.
Evidence Screenshots (ZIP) Contain screenshots from forensic tools (tcpdump, Wireshark, NetworkMiner) with brief captions. Name file: StudentName_StudentID_Screenshots.zip.
Requirements: 1500-2000 words
Get this or a similar paper done in as fast as 4 hours, 24/7.
NB: We do not sell prewritten papers. All essays are written from scratch according to specific needs and instructions
Leave a Reply
You must be logged in to post a comment.