Digital forensics and incident response, a term which is typically shortened to “DFIR,” is a necessary process for any organisation that wants to keep its computer systems, along with the data stored in them, safe. Malicious hackers who have enough motivation will eventually find a way to hack into a target computer system — sometimes even when the computer system in question is not connected to the internet (Berghel 2015; Greenberg 2018; Fino 2021). In this article, I will discuss my experience working out DFIR problems regarding a fictional case.
Digital forensics can be defined as “the use of scientifically derived and [empirically demonstrated] methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources, […]” (Reith 2022) and incident response can be defined as “an organized approach to addressing and managing the aftermath of a security breach or cyberattack” (Chai et al. c.a. 2022). One can infer that DFIR can be seen as the fusion of digital forensics and incidence response to mitigate cyberattacks that were, to some degree, successful. In America, the job market for “information security analysts” is rapidly growing (Occupational Outlook Handbook n.d.) and DFIR tools can even be helpful in casual situations (Enoka 2022).
In their never ending effort to educate the masses, “tryhackme” (2022) has devised a Christmas-themed room to teach various skills that have shown themselves to be useful in practical cybersecurity. This room introduces skill sets from different sub-domains in information security and uses a fictional story involving an evil yeti performing computer network operations against Santa Claus and his North Pole workshop. The room has the user take the role of the various “elves” working for Santa as cybersecurity specialists. This room addresses DFIR and I will address specific relevant tasks to the much greater task of analysing an email with a malicious payload attached to it.
The premise of the relevant subtasks is that a security engineer called Elf McBlue discovered an email that does have some reason to suspect malice. I will be discussing tasks 6, 7, 11, 12 and 13 and how I went from a suspicious email to working out the behaviour of a piece of malware and analysing packet captures.
Task 6 starts out with the assessment of a suspicious email. I began by booting up the virtual machine associated with this task and accessing it through “split screen.” I opened up the terminal and did a bit of “housekeeping work” to prepare for analysis:
ubuntu@ip-10-10-84-135:~$ cd Desktop
ubuntu@ip-10-10-84-135:~/Desktop$ mv "Urgent:.eml" Urgent.eml
ubuntu@ip-10-10-84-135:~/Desktop$
To analyse the suspicious email, I used the emlAnalyzer
utility (Wahl n.d.) to get information pertaining to Urgent.eml
ubuntu@ip-10-10-84-135:~/Desktop$ emlAnalyzer -i Urgent.eml --header --html -u --text --extract-all
==============
|| Header ||
==============
X-Pm-Content-Encryption.....end-to-end
X-Pm-Origin.................internal
Subject.....................Urgent: Blue section is down. Switch to the load share plan!
From........................Chief Elf <chief.elf@santaclaus.thm>
Date........................Tue, 6 Dec 2022 00:00:01 +0000
Mime-Version................1.0
Content-Type................multipart/mixed;boundary=---------------------03edd9c682a0c8f60d54b9e4bb86659f
To..........................elves.all@santaclaus.thm <elves.all@santaclaus.thm>
X-Attached..................Division_of_labour-Load_share_plan.doc
Message-Id..................<QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==>
X-Pm-Spamscore..............3
Received....................from mail.santaclaus.thm by mail.santaclaus.thm; Tue, 6 Dec 2022 00:00:01 +0000
X-Original-To...............elves.all@santaclaus.thm
Return-Path.................<murphy.evident@bandityeti.thm>
Delivered-To................elves.all@santaclaus.thm
=========================
|| URLs in HTML part ||
=========================
[+] No URLs found in the html
=================
|| Plaintext ||
=================
[+] Email contains no plaintext
============
|| HTML ||
============
<span>Dear Elves,</span><div><br></div><div><span>Due to technical problems in the blue section of our toy factory, we are having difficulties preparing some toys. </span></div><div><br></div><div><span>There
are a few days left to Christmas, so we need to use time efficiently to
prepare every wishlist we receive. Due to that, the blue section’s
workload is shared with the rest to avoid any toy production delay.</span></div><div><br></div><div><span>The detailed division of labour is included in the attached document.</span></div><div><br></div><div><span>Good luck to you all.</span></div><div><br></div><div><b><span>Chief Elf</span></b></div><div><br></div>
=============================
|| Attachment Extracting ||
=============================
[+] Attachment [1] “Division_of_labour-Load_share_plan.doc” extracted to eml_attachments/Division_of_labour-Load_share_plan.doc
ubuntu@ip-10-10-84-135:~/Desktop$
I notice a lot of useful information from this output:
chief.elf@santaclaus.thm
elves.all@santaclaus.thm
murphy.evident@bandityeti.thm
X-Spam
score of this email is 3.X-Spam
refers to a number assigned to an email by Apache SpamAssassin (n.d.) to express quantitatively whether-or-not it is a spam email (Rankin n.d.). To further investigate whether-or-not Urgent.eml
is a piece of spam, I looked up the sender email address on the Simple Email Reputation (n.d.) service to see what I can find. Figure 1 depicts my results:
This can be seen as a basis for further investigation. As part of its analysis, emlAnalyzer
creates a folder called eml_attachments
which contains extracted attachments from the email file. The following is a list of attachments that were extracted:
ubuntu@ip-10-10-84-135:~/Desktop$ ls -l eml_attachments
total 60
-rw-r--r-- 1 ubuntu ubuntu 57856 Dec 25 00:43 Division_of_labour-Load_share_plan.doc
ubuntu@ip-10-10-84-135:~/Desktop$
A Microsoft Word (n.d.) document called Division_of_labour-Load_share_plan.doc
was attached onto the suspicious email. Given the “risky” nature of the email, some analysis of this document is in order. I used the sha256sum
command to calculate a SHA-256 hash (Eastlake & Hansen 2011) of this document:
ubuntu@ip-10-10-84-135:~/Desktop/eml_attachments$ sha256sum Division_of_labour-Load_share_plan.doc
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467 Division_of_labour-Load_share_plan.doc
ubuntu@ip-10-10-84-135:~/Desktop/eml_attachments$
The hash can be seen as a unique identifier for this particular attachment which I can use to query databases of information security researchers who have analysed this file. I looked up this hash on VirusTotal and was presented with the following results (figure 2, VirusTotal n.d.):
Given all this evidence, I will now proceed to analyse the attachment for what is most likely going to be malicious behaviour.
The previous task had me analyse a suspicious email and I extracted a (most likely) malicious Microsoft Word document. Here, I will use CyberChef (n.d.) to deobfuscate malicious software in the Word document and defang (Rowe & Rrushi 2016) their respective URLs.
I started by opening CyberChef and loading the Division_of_labour-Load_share_plan.doc
analysed earlier into it. Figure 3 depicts how I accomplished the latter:
I then created a recipe from the tasks instructions. The following JSON is the recipe that I came up with to transform the information found within the Word document into some useful threat intelligence:
[
{ "op": "Strings",
"args": ["Single byte", 258, "All printable chars (A)", false, false, false] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "[\\[\\]_\\n]" }, "", true, false, true, false] },
{ "op": "Drop bytes",
"args": [0, 124, false] },
{ "op": "From Base64",
"args": ["A-Za-z0-9+/=", true, false] },
{ "op": "Decode text",
"args": ["UTF-16LE (1200)"] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "['()+\"']" }, "", true, false, true, false] },
{ "op": "Find / Replace",
"args": [{ "option": "Regex", "string": "]b2H_" }, "http", true, false, true, false] },
{ "op": "Extract URLs",
"args": [false, false, false] },
{ "op": "Split",
"args": ["@", "\\n"] },
{ "op": "Defang URL",
"args": [true, true, true, "Valid domains and full URLs"] }
]
The following is the output when running this recipe against the Word document:
hxxps[://]cdn[.]bandityeti[.]thm/files/mysterygift[.]exe
hxxps[://]google[.]com/
hxxps[://]www[.]secretSanta[.]THM/Goldenticket/[redacted]
hxxps[://]cdn[.]bandityeti[.]THM/files/index/
That mysterygift.exe
executable looks like a good candidate for further analysis.
In the previous task, I worked out four (4) URLs associated with a malicious Word document. One of the URLs is linked to an executable called mysterygift.exe
that is hosted on the domain cdn.bandityeti.thm
. The Bandit Yeti has been successful in installing their malware onto some computer systems in the North Pole workshop, so analysing a memory dump of an infected system may give us a “peep behind the scenes.”
The Volatility Framework (Volatility Foundation n.d.) is the “go to” memory forensics tool for DFIR purposes and other computer science applications. To start off, I started the virtual machine associated with this task and began to get the Windows profile of the workstation.vmem
dump so that I can instruct Volatility to do its analysis under the correct assumption of the specific operating system running on the infected system:
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.info
Volatility 3 Framework 2.4.1
Progress: 100.00PDB scanning finished
Variable Value
Kernel Base0xf803218a8000
DTB0x1ad000
Symbolsfile:///home/elfmcblue/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/E0093
F3AEF15D58168B753C9488A4043-1.json.xz
Is64BitTrue
IsPAEFalse
layer_name0 WindowsIntel32e
memory_layer1 FileLayer
KdVersionBlock0xf80321cd23c8
Major/Minor15.18362
MachineType34404
KeNumberProcessors4
SystemTime2022-11-23 10:15:56
NtSystemRootC:\Windows
NtProductTypeNtProductWinNt
NtMajorVersion10
NtMinorVersion0
PE MajorOperatingSystemVersion10
PE MinorOperatingSystemVersion0
PE Machine34404
PE TimeDateStampMon Apr 14 21:36:50 2104
elfmcblue@aoc2022-day-11:~/volatility3$
This room just has its users do a very cursory and preliminary analysis of the workstation.vmem
memory dump. I started off by getting a list of running processes:
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.pslist
Volatility 3 Framework 2.4.1
Progress: 100.00PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
40System0xc0090b286040141-N/AFalse2022-11-23 09:43:
13.000000 N/ADisabled
1044Registry0xc0090b2dd0804-N/AFalse2022-11-2
3 09:43:04.000000 N/ADisabled
3164smss.exe0xc0090e4384002-N/AFalse2022-11-2
3 09:43:13.000000 N/ADisabled
436428csrss.exe0xc0090ea6514010-0False2022-11-2
3 09:43:18.000000 N/ADisabled
512504csrss.exe0xc0090f35e14012-1False2022-11-2
3 09:43:19.000000 N/ADisabled
536428wininit.exe0xc0090f2c00801-0False2022-11-2
3 09:43:19.000000 N/ADisabled
584504winlogon.exe0xc0090f3830803-1False2022-11-2
3 09:43:19.000000 N/ADisabled
656536services.exe0xc0090e5323405-0False2022-11-2
3 09:43:20.000000 N/ADisabled
680536lsass.exe0xc0090f3a50806-0False2022-11-2
3 09:43:20.000000 N/ADisabled
792656svchost.exe0xc0090fa3324012-0False2022-11-2
[… snip …]
2040 5888 mysterygift.ex 0xc0090b52e4c0 3 – 1 False 2022-11-23 10:15:19.000000 N/A Disabled
[… snip …]
From this output, I learn that the process ID (PID) of mysterygift.exe
is 2040. I then dumped the artifacts associated with the workstation.vmem
for further analysis:
elfmcblue@aoc2022-day-11:~/volatility3$ python3 vol.py -f workstation.vmem windows.dumpfiles
Volatility 3 Framework 2.4.1
Progress: 100.00PDB scanning finished
Cache File Object FileName Result
DataSectionObject0xc0090ba87280USBXHCI.SYS.muiError dumping file
DataSectionObject0xc0090e5cad50EtwRTEventlog-Security.etlError dumping f
ile
SharedCacheMap0xc0090e5cad50EtwRTEventlog-Security.etlError dumping file
DataSectionObject0xc0090e5c8680EtwRTEventLog-Application.etlError dumping f
ile
SharedCacheMap0xc0090e5c8680EtwRTEventLog-Application.etlError dumping file
DataSectionObject0xc0090e5c9930EtwRTDefenderAuditLogger.etlError dumping f
ile
[… snip …]
The output reported some errors while dumping the files, but I nonetheless persisted and began to proceed to the next phase of analysis.
The malicious implant is stored in an executable called mysterygift.exe
. In the previous task, I dumped it into a file on disk and in this task, I will analyse its behaviour with the techniques of static and dynamic analysis.
As usual, I started the virtual machine associated with this task and then proceeded to log in to it. I then did a bit of housekeeping work in the command prompt before getting to analysis:
FLARE
C:\Users\Administrator>cd Desktop\"Malware Sample"
FLARE
C:\Users\Administrator\Desktop\Malware Sample>mv mysterygift mysterygift.exe
I started by analysing the binary’s properties with Detect It Easy (“Hors” n.d.) — this will allow me to see if there is any packing applied to the executable to decrease its file size or make analysis more difficult. Figure 4 depicts the results of the preliminary analysis:
From these results, I can see that the binary is packed with the upx (n.d.) — making it more difficult to analyse. To mitigate this difficulty, I unpacked it with the upx
utility installed on the task’s virtual machine:
FLARE
C:\Users\Administrator\Desktop\Malware Sample>upx -d mysterygift.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
——————– —— ———– ———–
502169 <- 227737 45.35% win64/pe mysterygift.exe
Unpacked 1 file.
FLARE
C:\Users\Administrator\Desktop\Malware Sample>
I then ran capa
(Mandiant n.d.) against mysterygift.exe
to get more of an idea of its behaviour:
C:\Users\Administrator\Desktop\Malware Sample>capa mysterygift.exe
loading : 100%|████████████████████████████████████████████████████████████| 485/485 [00:00<00:00, 1724.35 rules/s]
matching: 100%|██████████████████████████████████████████████████████████████| 573/573 [00:17<00:00, 33.21 functions/s]
[… snip …]
Table 1 depicts the output of capa
when ran on mysterygift.exe
:
A lot of useful information can be gathered from this information — such as what capabilities that the malware displays based on the MITRE ATT&CK Framework (n.d.) and what specific behaviours that it exhibits. In particular, the malware sample employs some anti-analysis techniques, data collection (and possible exfiltration), and boots up on logon through an entry in the Windows Registry (White et al. 2021) and Startup Folders (Microsoft Learn).
To get a better idea of how the malware behaves, I employed some basic dynamic analysis with Process Monitor (Russinovich 2022). I configured Process Monitor to narrow down information based on the process name being mysterygift.exe
(see figure 5):
I then configured Process Monitor to collect information regarding how the malware interacts with the Windows Registry, the file system, the network and other features of the computer system. Figure 6 depicts this:
Doing this analysis reveals a lot of useful information:
Run
key of the current user in the Windows Registry. Specifically, it writes the value C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
into the Run
key.test.jpg
and wishes.bat
under the Administrator folder. Specifically, wishes.bat
is in the Administrator’s start up folder.bestfestivalcompany.thm
and virustotal.com
— it starts to access a file on the former domain called favicon.ico
.This is all very interesting — especially the network communications. I will now proceed to analyse how the malware communicates with the bestfestivalcompany.thm
domain.
In the previous task, I observed that the mysterygift.exe
malware communicates with a domain called bestfestivalcompany.thm
. I used Wireshark (n.d.) to analyse a packet sniff and will just briefly discuss my findings here:
Nim httpclient/1.6.8
. Doing a wee research reveals that the dropper may have been written in the Nim Programming Language (n.d.).mysterygift.exe
file is 0ce160a54d10f8e81448d0360af5c2948ff6a4dbb493fe4be756fc3e2c3f900f
I think that this is enough analysis of the malware artifacts left by the intruder to respond to the incident.
Other TryHackMe users have written up their experiences on these Advent of Cyber 4 tasks regarding the DFIR tasks that I did in this article (Bargan 2022a; Nagaraj 2022a; Shapiro n.d.; Breth n.d.; Bargan 2022b; Nagaraj 2022b). These students, researchers and other kinds of TryHackMe users all had their own interesting approach and take on the DFIR techniques presented in this room.
I felt that I could try something a tad different by chaining the related tasks together and showing how they relate to one another. I omitted details that I personally felt were irrelevant in an attempt to improve this article’s readability.
A weakness of this article is that I did not report on all of the information asked by the tasks. Nonetheless, I do feel that I did offer a perspective on basic digital forensics and incident response techniques that will enable would-be SOC analysts to gather useful threat intelligence that can be used to mitigate attacks given by malicious hackers.
Hopefully, I have convinced the reader that digital forensics and incident response skills are useful for the defensive and perhaps even offensive sides of information security. Regarding the defensive side of security engineering, these techniques can help catch a malicious hacker. But for the offensive side of security engineering, the information in this article can be used to establish a simple baseline for testing defense evasion strategies when engaging in penetration testing.
Apache SpamAssassin (n.d.). Retrieved on Dec. 24, 2022 from: https://spamassassin.apache.org/
Ballenthin, W. & Raabe, M. (2020). capa: Automatically Identify Malware Capabilities. Mandiant. Retrieved on Dec. 24, 2022 from: https://www.mandiant.com/resources/blog/capa-automatically-identify-malware-capabilities
Bargan, S. P. (2022a). TryHackMe Advent of Cyber 2022 [Day 6] It’s beginning to look a lot like phishing — No Answers 😛. InfoSec Write-ups. Retrieved on Dec. 24, 2022 from: https://infosecwriteups.com/tryhackme-advent-of-cyber-2022-day-6-its-beginning-to-look-a-lot-like-phishing-no-answers-p-66b57be74cb3
Bargan, S. P. (2022b). TryHackMe Advent of Cyber 2022 [Day 7] Maldocs roasting on an open fire — No Answers 😛. InfoSec Write-ups. Retrieved on Dec. 24, 2022 from: https://infosecwriteups.com/tryhackme-advent-of-cyber-2022-day-7-maldocs-roasting-on-an-open-fire-no-answers-p-d9d90522bc94
Berghel, H. (2015). A Farewell to Air Gaps, Part 1. In Computer (Vol. 48, Issue 6, pp. 64–68). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/mc.2015.179
Both, D. (2019). Combating Spam. In Using and Administering Linux: Volume 3 (pp. 187–213). Apress. https://doi.org/10.1007/978-1-4842-5485-1_9
Breth, J. (n.d.). TryHackMe Advent of Cyber 2022 Walkthroughs. J.B.C. Security. Retrieved on Dec. 24, 2022 from: https://jbcsec.com/advent-of-cyber-2022/
Chai, W., Beaver K. & Rosencrance, L. (c.a. 2022). What is Incident Response? TechTarget. Retrieved on Dec. 24, 2022 from: https://www.techtarget.com/searchsecurity/definition/incident-response
CyberChef (n.d.). Retrieved in Dec. 24, 2022 from: https://gchq.github.io/CyberChef/
Eastlake, D. & Hansen, T. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). Internet Engineering Task Force. Retrieved on Dec. 24, 2022 from: https://www.rfc-editor.org/rfc/rfc6234
Enoka, S. (2022). Cybersecurity for Small Networks: A No-Nonsense Guide for the Reasonably Paranoid. No Starch Press.
Finio, B. (2021). Hacking the Air Gap: Stealing Data from a Computer that isn’t Connected to the Internet. Retrieved on Dec. 24, 2022 from: https://www.sciencebuddies.org/science-fair-projects/project-ideas/Cyber_p006/cybersecurity/air-gap-computer-hacking
Greenberg, A. Mind the Gap: This Researcher Steals Data With Noise, Light, and Magnets. WIRED Magazine. Retrieved on Dec. 24, 2022 from: https://www.wired.com/story/air-gap-researcher-mordechai-guri/
“Hors” (n.d.). Detect It Easy: Program for determining types of files for Windows, Linux and MacOS. GitHub Repository. Retrieved on Dec. 24, 2022 from: https://github.com/horsicq/Detect-It-Easy
Johansen, G. (2017). Digital Forensics and Incident Response: A practical guide to deploying digital forensic techniques in response to cyber security incidents. Packt Publishing.
“kuraxmasha” (n.d.). Miraculous Ladybug Anime 1. Wattpad. Retrieved on Dec. 25, 2022 from: https://www.wattpad.com/713896884-miraculous-ladybug-and-chat-noir-picture
Liang et al. (2021). Understanding the Remote Desktop Protocol (RDP). Microsoft Learn. Retrieved on Dec. 24, 2022 from: https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol
Microsoft Learn (n.d.). Add an app to run automatically at startup in Windows 10. Retrieved on Dec. 24, 2022 from: https://support.microsoft.com/en-us/windows/add-an-app-to-run-automatically-at-startup-in-windows-10-150da165-dcd9-7230-517b-cf3c295d89dd
Microsoft Word (n.d.). Retrieved on Dec. 24, 2022 from: https://www.microsoft.com/en-us/microsoft-365/word
Miraculous Ladybug (2022). MIRACULOUS | 🐞❄️ SANTA CLAWS ❄️🐾 | Full Episode | Tales of Ladybug & Cat Noir. YouTube Video. Retrieved on Dec. 25, 2022 from: https://youtu.be/tUzcGXXtXF8
MITRE ATT&CK Framework (n.d.). Retrieved on Dec. 24, 2022 from: https://attack.mitre.org/
Montasari, R., Carpenter, V., & Hill, R. (2019). A road map for digital forensics research: a novel approach for establishing the design science research process in digital forensics. In International Journal of Electronic Security and Digital Forensics (Vol. 11, Issue 2, p. 194). Inderscience Publishers. https://doi.org/10.1504/ijesdf.2019.098784
Nagaraj, K. (2022a). Advent of Cyber 2022 [Day6] Email Analysis — It’s beginning to look a lot like phishing by Karthikeyan Nagaraj. InfoSec Write-ups. Retrieved on Dec. 24, 2022 from: https://infosecwriteups.com/advent-of-cyber-2022-day5-email-analysis-its-beginning-to-look-a-lot-like-phishing-by-978dab792ebf
Nagaraj, K. (2022b). Advent of Cyber 2022 [Day 12]-Malware Analysis Forensic McBlue to the REVscue! Write up. InfoSec Write-ups. Retrieved on Dec. 24, 2022 from: https://infosecwriteups.com/advent-of-cyber-2022-day-12-malware-analysis-forensic-mcblue-to-the-revscue-write-up-44fc80e95c7
Nim Programming Language (n.d.). Retrieved on Dec. 24, 2022 from: https://nim-lang.org/
Occupational Outlook Handbook (n.d.). Information Security Analysts. Bureau of Labor Statistics. Retrieved on Dec. 24, 2022 from: https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
Rankin, K. (n.d.). Hack and / — Spam: the Ham Hack. Association of Computer Machinery. Retrieved on Nov. 24, 2022 from: https://dl.acm.org/doi/fullHtml/10.5555/1631670.1631679
Reith, M., Carr, C. & Gunsch, G. (2002). An Examination of Digital Forensic Models. In International Journal of Digital Evidence (Vol. 1, Issue 3). Utica University. https://www.utica.edu/academic/institutes/ecii/publications/articles/A04A40DC-A6F6-F2C1-98F94F16AF57232D.pdf
Rowe, N. C., & Rrushi, J. (2016). Defensive Social Engineering. In Introduction to Cyberdeception (pp. 121–131). Springer International Publishing. https://doi.org/10.1007/978-3-319-41187-3_10
Russinovich, M. (2022). Process Monitor v3.92. Microsoft Learn. Retrieved on Dec. 24, 2022 from: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Shapiro, S. (n.d.). Advent of Cyber 2022 — Day 6 Walkthrough. Electronics Reference. Retrieved on Dec. 24, 2022 from: https://electronicsreference.com/thm/advent-of-cyber-2022/day-6/
Simple Email Reputation (n.d.). Retrieved on Dec. 24, 2022 from: https://emailrep.io/
“tryhackme” et al. (2022). Advent of Cyber 2022: Get started with Cyber Security in 24 Days — learn the basics by doing a new, beginner-friendly security challenge every day leading up to Christmas. TryHackMe. Retrieved on Dec. 24, 2022 from: https://tryhackme.com/room/adventofcyber4
upx (n.d.). the Ultimate Packer for eXecutables. Retrieved on Dec. 24, 2022 from: https://upx.github.io/
VirusTotal (n.d.). File-0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467. Retrieved on Dec. 24, 2022 from: https://www.virustotal.com/gui/file/0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Volatility Foundation (n.d.). Open Source Memory Forensics. Retrieved on Dec. 24, 2022 from: https://www.volatilityfoundation.org/
Wahl, F. (n.d.). emlAnalyzer: A cli script to analyze an E-Mail in the eml format for viewing the header, extracting attachments etc. GitHub Repository. Retrieved on Dec. 24, 2022 from: https://github.com/wahlflo/eml_analyzer
White, S. et al. (2021). Registry. Microsoft Learn. Retrieved on Dec. 24, 2022 from: https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry
Wireshark (n.d.). Retrieved on Dec. 24, 2022 from: https://www.wireshark.org/