Investigation of Crytolocker: Trace Analysis With Wireshark and Windows 2003 Server - Coursework Example

work: INCIDENT RESPONSE: INVESTIGATION OF CRYTOLOCKER (TRACE ANALYSIS WITH WIRESHARK AND WINDOWS 2003 SERVER) By Institution: Date: Introduction It is important to highlight that this report delves in the Investigation of Cryptolocker. The paper has been divided into several sections to enhance clarity. Cryptolocker is malicious computer software that is used in the compiling of the various Microsoft files such as images, Microsoft word documents as well as those in PowerPoint slides presentation. This is actually the contemporary technique that is used by the cybercriminals in the robbing of people their money through the internet or even through emails. There are other tools that have been used by the cybercriminals theft. These include PayPal scams, advertisements that are run in the internet and people deceived on wining fake lotteries, the fake inheritance scams as well as the EBay scams (Richard, 2013). One factor that is worth noting is that they are developed so that the promiscuous persons can solicit some money from the people with the computers that have been affected by the virus. There are various computers that are at risk especially those that are operating certain programs in virtual reality. These include the apple and Linux computers. Another set of vulnerable computers are those that are using windows Vista, XP 2, Windows 7 and 8 while the other two computers mentioned earlier are affected by windows 8.1. It s a software that gets into a computer system and then bars the owner of the computer from accessing the services or the system until a ransom is paid (Kevin, 2012). This software therefore does the encoding of data and therefore there is only access to the information by the authorized people. It is also used in websites. A good example of this kind of application is the case in the banking industry whereby there is the use of the hypertext transfer protocol (http). The image below shows data encryption process (Richard, 2013). Objective of the study To find out the virtual image of Cryptolocker How to Set Up Virtual Servers It is important to highlight that the virtual servers allow one box to execute several virtual images. Every operating system can manage its own without any system support from the prior installed operations system. This could be seen in the former eras whereby one windows server 2000 could support operation of windows 2003 besides others such as Linux, Each managing its applications. In setting up the virtual image, below are therefore considered as necessities that have to be there: (Kevin, 2012). i. GSX server:-the licensing of this product for the case of a two processor machine begins from $3025. This is so because the product can withstand the number Central Processing Units (CPU) that can operate up to 64GB of the virtual machine. ii. A Host computer:-the host computer in question is obliged to operate as the windows server variant. By using windows 2000 professional and XP are the only ways that the operators of virtual image workstation can evade infection. iii. A lot of RAM:-one obvious reason that is evident here is that each virtual machine ill require its own internal storage device. Owing to the fact that the GSX operating system as well has to be on its own RAM therefore calls for a larger room or space that can accommodate all that is needed. iv. Guest operating system:-various software installations are designed for different virtual machines. Most variants of Linux and FreeBSD, Windows down to 3.1, MS-DOS 6.22, and Novell NetWare ate supported by GSX operating system. v. One or more dedicated hard disks per virtual machine and this are considered as not mandatory in the operating system. Starting a Virtual servers After preparing the GSX servers to the host machine, it is then configured because of the compatibility and within sixty seconds then it can be used to run the improvised virtual machine. Below is therefore the procedure for the operation ((Richard, 2013): i. Go to Administrative tools and shut down all the additional services in the system running. This will help in straightening the functionality of the of the host machine. Virtual machines can work for more only when the less time is burned in a short time by the Central Processing Unit. For VM configuration always let the IIS and the COM performances running. ii. Download or make a purchase of the VM software of GSX server of your own choice. iii. The autorun should as well be turned off because various virtual machines attempting in auto running for example a CD can cause adverse effects in the computer system. iv. Shut down the computer and restart it when the servers request. Log in to the GSX and enter the registration details of the software. The serial key is always provided by the Virtual Machine manufacturer. v. Go to the new VM server and click to prove the initial or first virtual machine of the Red Hat ES. vi. Various network interfaces can be shared across with the VM software. The Bridged networking helps in the developing of Ethernet gadget in the virtual machine. That can be well seen in the images that are attached above in the earlier parts of the paper. This will connect it to a local router. Click next to continue with the installation and configuration. vii. By clicking next, there virtual disk will be an automatically created in the virtual image software. viii. After developing the windows server 2003 VM, customize new virtual machine by clicking it again. More questions to complete the installation will be asked during the process. These are answered as shown from step (viii) to step (ix) ix. The least amount of memory to apportion to the server is 256MB. x. Show that the bridged network is the kind of router to be used in the system. xi. There now develop a new virtual disk. One can as well wish to use a physical disk to the virtual machine. Note that the physical drives are not readable by operating system of the host machine xii. Upon the completion of the configuration of the two virtual machines, they are then turned on or activated. Red Hat ES CD1 is then put in the computer system’s focal drive. xiii. Booting will commence from the Red Hat ES CD1 after some few seconds. The new window should then be clicked to put in data or some files into the disk. Relieve the control of the mouse and the keyboard by clicking CTRL ALT at the same time to execute the command. xiv. For the virtual image to recognize the Virtual Image virtual graphics adapter, review the Red Hat Enterprise Linux ES installation process. xv. Upon the completion of installation process, the servers’ operating environment will be active and will be hosted by the windows server. xvi. The next step now is on the installation of the windows 2003 virtual machine operating system. Power on the windows server 2003 that is in the disk earlier created using the process. This is done after it has been in the GSX server window. xvii. Windows server will start the booting and consequently rebooting process with commands to press CTRL ALT DEL. Ignore the command and press CTRL ALT INS and this will be interpreted in the virtual machine. xviii. Click CTRL ALT to come out of the windows in the event that the windows server is up and running and click install VM software tools below the window for the program to be launched in the virtual machine. xix. Finally configure the windows server 2003 to operate effectively in the environment launched in. The explanations above can as well be done as shown in the flow chart below. LITERATURE REVIEW It important to highlight that several scholars have explored this area of study and these can be seen from the extensive and in-depth literature review that was conducted. According to Kevin (2012), a lot of organized cybercrime techniques have been developed in this time and error and he narrates how one guru managed to illegally get billion dollars from the United States’ economy. The most interesting part of the ordeal is the point that the FBI launched an operation against this hacker not knowing he was their member and an expert in the field of computer programming. Besides, this same person could suck a lot of cash from various credit cards including those of the other hackers who were in the illegal dealing (Kevin, 2012). Cliff (2005) in his book discusses how a US citizen did expose the various terror affiliates who were posing risk to the country through the internet. He had empirical evidence that were used by the law enforcement agencies in the investigation to ascertain the validity of the claims. His story is corroborated by Lawrence Berkeley who was a laboratory manager who noticed there was a hacker in his system when he lost 75cents from the accounting alert. Through the alert, he managed to start the tracking exercise and found the identity of the hacker as ‘Hacker’ who had at one point gotten very vital security information and sensitive military secrets from the United States computer system. His efforts were quite hazardous as it was hunting on each other. In the course of the hunting, there were lots of deceptions, missile bases, broken codes that were used by the hacker as well as satellites for location of various areas. Richard (2013) teaches on the ways of boosting security using the Network Security Monitoring (NSM). This is quite important in the sense that a good protection can be added on the system. This is using a common source program as well as vendor neutral tools METHODOLOGY This study will use different types of methodology to get very accurate findings that can be quite helpful to the company against these promiscuous individuals. The following methodology will be used during this study (Kevin, 2012). RESEARCH APPROACH Deductive Approach Deductive approach to reasoning enables the researcher in the analysis of the facts as well as in the testing of hypotheses from a more general level to the specific level. Normally this approach is known as top-down approach. The actual meaning of top-down approach is that the researcher start to think a topic that the researcher is interested in, he or she then narrow the topic down into more specific hypotheses that the researcher is within the ability and capacity of the researcher to test. This research will therefore apply largely the use of deductive approach in carrying out research (Richard, 2013). Inductive Approach Contrary to the deductive approach, Inductive approach to reasoning enables the researcher to analyses from the specific observation to wider theories and generalizations. This approach is known as bottom-up approach. This means that inductive approach majorly uses evidences that have come up during the research to explain the results and the hypotheses (Kevin, 2012). RESEARCH DESIGN It is also important to reiterate that the design of this research is sorted into three sections. These sections are exploratory research, explanatory research and lastly descriptive research. These research designs are well envisage as shown below (Richard, 2013). Exploratory Research This kind of research enables the researcher to determine the best research design, selection of subjects and appropriate data collection instruments for data collection for a problem that has defined clearly. Apart from that, exploratory research is based on secondary resources such as looking at available literature and data and such as qualitative research interviews with the affected persons who have been victims in one way or the other. These include focus groups, customers, individuals, competitors, companies, case studies and so on so forth. The main aim of exploratory research is gaining an insight for new phenomenon or obtaining a familiarity to be able to formulate hypotheses (Brian, 2005). Descriptive Research The third type of research that the study employed is the descriptive research. Most of the researchers strive in the identification and to figuring out the terms of these kinds of researches. Descriptive research is the also known as statistical research and describes vividly the characteristics and data in regards to phenomenon or population that the researcher has studied. In this focus, even though the description of data is accurate, real and systematic, it is nearly impossible that the researcher is evitable to find out what has caused the situation. In this regard therefore, it is not advisable to use descriptive research in creating causal relationship, where one parameter influences the other (Kevin, 2012). Data collection methods In the coming up with the findings, it is quite evident that there are some information that were collected. This section presents the methods that will be used to collect data during this study. The data are collected using the suitable data collection instruments that are discussed below. The instruments are either primary sources of data collection or secondary sources of data collection (Richard, 2013). Secondary Research This study will majorly employ the use of secondary research. Secondary research is the type of research that had been researched and published by someone else. Secondary research is always seen to be time saving since it does not always require the researcher to carry out any survey. The secondary sources can either be available within out outside the organization. It is important to note that secondary research is always less costly. The disadvantage of this research is that information can easily be altered. The researcher will however be very vigilant on the type of data. In this case, the data should only be collected from sources that are certified (Richard, 2013). Sampling techniques This study applied simple sampling techniques. This type of sampling allows an equal chance for each individual to be picked for interview. This technique of sampling also allows the respondents to be picked just by chance. It is therefore relevant to argue that simple sample technique is very appropriate for this study because it saves time and it is easy to undertake. Using simple random sampling technique also has an impact on improving the quality of results attained. This is because the results that are always attained using simple random sampling that is undertaken using larger population size is always considered highly accurate (Kevin, 2012). Sample size of the study The sample size of this study will involved 200 participants drawn from all centers of focus in the study as well as considering the ethical issues. During the research, ensure that ethical considerations are upheld in selection of the sample size. The sample will be selected from the homeless aboriginal population. The study was conducted in England (Brian, 2005). Research instruments This study applied various number of research instruments collection of data. It is therefore fundamental to note that the researcher used three research instruments namely questionnaires, interview schedules and document check lists. The use of various number of research instruments is always encouraged so as to ensure that the data collected is accurate and holistic. Expert opinion was also sought from the relevant personnel so as to ascertain the suitability of the of the research instruments (Brian, 2005). The research instruments are therefore explained as follows. Questionnaire This study applied the use of questionnaire to collect primary data that met the objectives of the research. The construction of the questionnaire took in to account various factors that were in accordance with the general objective of the study as outlined in section two. It must be noted that any questionnaire that contain questions, which are clearly constructed questions, is always considered a very fundamental research tool. The questionnaire used in this research was properly and carefully constructed. The questions were put in a very direct and coherent manner to ensure that each respondent understands them (Kevin, 2012). The research questions were used in the construction of the questionnaire. This allowed the correct data to be collected in as far the objectives of the study were concerned. The questions used in the questionnaire were of two different types. For instance, the questionnaire contained open-ended questions and closed ended questions. The open-ended questions enabled the researcher to collect information pertaining to the opinions of the respondent (Richard, 2013). Interview Schedules Apart from the questionnaire, the researcher also used interview schedule to collect data. The use of interview schedule was considered to be very appropriate in collection of corroborative information. The interview schedules always compliment the questionnaire through corroboration of the quantitative information. The data collected were used by the researcher to analyze and study and to approve the hypothesis of the study. My questionnaire therefore had two sections only; section "A" and "B". Section A contained question that answered my research questions while section B had questions that enabled me test my research hypothesis. I also carried out personal interviews, especially with managing directors of key government bodies and agencies, federal bodies, security personnel as well as the various individual who have fallen victims of cybercrime concerning social and economic issues in information communications technology with reference to Cryptolocker (Kevin, 2012). Observation Observation is another instrument that will be employed in this research to assist in collection of primary data. This method is very reliable because it is less costly and easy to carry out. Observation only requires the researcher to avail him or herself at the site where the data collection is taking place. It involves viewing of the situations as they appear in the site. Direct observations enabled me to collect data that I believe is default to gather when using other instruments of data collection (Brian, 2005). Findings of the study Below are therefore the results that were found during the study. From the study, it was clearly found how the Cryptolocker software operates and this is well envisaged. The cybercriminals tend to believe that they have in their knowledge the interest of all their victims and they send the message via email. They behave as if you completely know them and the most ironical part is that they tend to imitate the people, agencies as well as organizations that you would like to hear from s o much. These include the banks or even the mobile phone companies. The emails that they send seem to be very urgent and the sender is quite stranded in a way. However, the email tries to find the victim’s log in details from some account. This is tied to a fake link and website that cracks the log in information too. Cryptolocker tends to destroy every single file in the computer system and then encrypts it such that even the owner cannot trace or even access the file or computer system itself. At the moment, the amount of money that can be paid when it comes to unencrypting the malware is £300 failure to comply within the stipulated timeframe by the developers if this kind if software then the information will be locked or encrypted forever (Kevin, 2012). It is also important to highlight that there are ways that have been recommended in the protection against Cryptolocker and ransom ware in disaster restoration and recovery. These have been highlight as shown below are any of them can be employed in this regard therefore: Backup all your files and folders to Drop box:-there are various services such as drop box that offer room for online backing of the data and other files. This is ideal and is realized through synchronization thereby protecting the disk failure risk and thefts. Develop a system repairs disk:-it is important to create a system repairs disk that will help in the restoration of the windows back. In windows recovery, the computer user or owner has to be careful on the repairs disk. The people using the Linux on the other hand only need to download and install a distro of their choice (Brian, 2005). Backup to DVDs, USB and External Hard Drives and any other form of secondary storage:-it is important to highlight that these external storage devices are very helpful as they do automatic synchronization of the data and files. The DVDs for example is quite ideal as it tends to reduce the effect and amount of the malware (Kevin, 2012). Test the functionality of the Recovery media:-all the devices that have been developed for back up, repairs and even protection could not be working as required. It is therefore quite important to test their functionality if they are in order to secure the computer system with all the contents in the system. Test the repairs disk by inserting it into the disk drive and try to do the booting of the computer system. For the people who do the backs up in the Google websites or Drop box, try and confirm if the files that you backed up are not corrupted with any kind of virus (virus free). For the Backup that is done in the DVD or the USB, try to open the folders to know if the open or are working well (Richard, 2013). Install strong Antivirus software in your computer system:-Antivirus help in the keeping of computer system and all the files in the various folders safe. The computer system is also free from the infection while working online. It is important to note that all the recognized and accredited providers of the Antivirus always have in mind the existence of Cryptolocker. This therefore will make them develop an antivirus that can protect the computer system from the malware. Regardless of the operating system that one is using, it is an obligation to install antivirus for the computer. For the computers that are using the Linux Operating system, it is even very necessary to install antivirus as it will help in the scanning of the files that one can share with other parties. The Ubuntu machines always have a small kitten and this is quite harmful to the computer network system of a company. The picture of the kitten could be attached to some virus and if many persons open it then the computer system can be crashed as well hence the need to install Antivirus (Brian, 2005). Always execute regular and continuous system backups:-this is for the people who are prone to adding various files to their computer systems, videos, images or picture, developing or upgrading the various computer programs as well as adding documents. It is advisable that there be some copy of the added item onto the computer at some place so that is external from the computer system and it should be regular (Richard, 2013). Back up the files using Ubuntu One:-people using the Linux operating system have reported very few reports with regards to ransom ware. Ubuntu one is meant for the people who use windows and not using ubuntu (Kevin, 2012). Always keep the antivirus well updated and active:-it is important to reiterate that the computer system only remains safe when the antivirus is up to date and active. It can make no sense having the antivirus and failing to keep it operational because of the fact that it is not current or up to date. That is like leaving an ATM card with the personal identification number (PIN) in display (Brian, 2005). Use Linux software instead of the normal windows:-over the past years, there have been no cases of virus infection or malicious infection into the computer systems that are using the Linux operating system. From this subjective and objective point of view, it would be quite in order for the other people who have not installed this kind of software to try it out and overcome these windows related problems. Just like a flag will always follow the direction of the wind so should you apply the software in the computer system because majority have moved there and abandoned windows. Linux is therefore very safe and secure to work with (Kevin, 2012). Make proper Use Clonezilla to create a disk image:-Clonezilla is a specially designed operating system that is based on the features and aspects of Linux. This operating system gives s the computer owner to develop an image on the computer. The operating system is quite helpful in recovery. This is in the sense that in the event of any fault or breakdown, the computer would recover up to the point when the last image was shot. This system therefore works the same way as the Norton Ghost (Richard, 2013). Back up the files to Google drive:- Apart from the Drop box, the Google drive can as well be used as an alternative. In this, the space that is offered for free is 16 gigabytes and can be expanded to 100 GB and is paid $4.99 after every one month ever dash with elevated privileges (Brian, 2005). Have your own personal wits just on you:-it is quite obvious that the banks and any party be it an agency or organization with some sensitive information cannot send emails. For example in the event of bank withdrawal, there will be a letter posted to the post office and this will help you by creating awareness to you. You will thereby be forced to do confirmation of the bank account online. Various organizations and financial institutions have their websites and portals where they disseminate information to their people. Banks are therefore not an exception here. Using the wits and knowledge you have, you can therefore ignore what is not relevant and use the relevant ones. Therefore people need to be very careful on the email messages that require them to follow certain links and websites to access what they require. The lengthy and cumbersome procedure should send a waning to the people (Richard, 2013) Make use of a virtual machine when opening certain links and emails that have been sent through emails. Oracles Virtual box software is quite appropriate (Cliff, 2005). Never relinquish or give up:-when it comes to giving up, the core point driven here is that the continued payment of ransom by the victims is the motivating factor to the increment of this kind of activity through malicious software. It therefore means that the victims should remain firm and not act like desperadoes so that these people can quit from the activity. It could be hard to take as a piece of advice but it is the best (Richard, 2013). From the survey conducted, the table below gives the results of the various effects that people have suffered from Cryptolocker. FORM OR CAUSE OF LOSS NUMBER OF PEOPLE Those who have received emails of fake lotteries 77 Those who have been linked to certain websites to access bank or agency services 31 People who have lost money from PayPal scams 28 Fake inherited scams 13 EBay scams. 29 People who have suffered from running lucrative advertisements in the internet 22 TOTAL POPULATION 200 Conclusion In conclusion, it can be noted that there are several people who have fallen into trap following these scams in the internet. It is therefore quite important that people be sensitized and made aware of these kind of scams that are online. The world has gone hi-tech and technology makes people to stay online for commerce alongside others and therefore there is need to have various computer soft-wares to stay safe and also backup system for recovery of lost data and information (Kevin, 2012). The various institutions and agencies should also instill confidence in their clients and the people they serve by coming out in defense to make the people know the right modes of communication that they use. This will make many to ignore these emails (Brian, 2005). References Brian C., (2005) File System Forensic Analysis, Addison-Wesley Publishers. Cliff S., (2005) The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Simon and Schuster. Kevin P., (2012)Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground? Broadway Books. Richard B.,(2013) The Practice of Network Security Monitoring: Understanding Incident Detection and Response, No Starch Press. Read More