Skip to main content
All Projects

MSc Cybersecurity — Robert Gordon University

Digital Forensics Investigation — Insider Threat

May 2024
CybersecurityDigital ForensicsIncident ResponseAutopsyVolatilitySOC

Performed a full forensic investigation analysing disk images, memory captures, and network traffic to identify evidence of insider misconduct. Reconstructed the attack timeline and produced a professional incident report using Autopsy and Volatility.

Overview

This MSc project simulated a corporate insider threat investigation. Evidence had been collected from a suspected malicious insider — disk images, memory captures, and network traffic logs. The task was to perform a forensically sound investigation, reconstruct the timeline of events, and produce a professional report that could support an HR or legal process.

Investigation Methodology

The investigation followed a structured digital forensics process:

  1. Evidence preservation — verified hash integrity of all evidence files before analysis; maintained chain of custody documentation
  2. Disk image analysis — examined the file system for deleted files, modified timestamps, and artefacts of data exfiltration
  3. Memory analysis — analysed RAM capture for running processes, network connections, and artefacts not visible on disk
  4. Network traffic analysis — correlated network logs with disk and memory findings to identify external data transfers
  5. Timeline reconstruction — built a chronological sequence of events from all three evidence sources

Evidence Analysed

  • Disk image — Windows NTFS volume; file system artefacts, browser history, recently accessed files, deleted file recovery
  • Memory capture — active processes, injected code, network socket state, recently accessed credentials
  • Network logs — outbound connection records, data volume by destination, protocol analysis

Tools Used

  • Autopsy — disk image analysis, file recovery, timeline generation
  • Volatility — memory forensics framework for Windows memory analysis
  • Wireshark — network traffic examination
  • FTK Imager — evidence verification and hash validation

Findings

Evidence established that the subject had:

  • Accessed and copied confidential HR and financial records outside of normal working hours
  • Used a personal cloud storage service to exfiltrate documents — confirmed by network logs and browser artefacts
  • Attempted to delete activity traces — recovered via file system analysis and memory artefacts
  • Connected a personal USB device — confirmed by Windows registry artefacts (SetupAPI logs, USBSTOR entries)

The reconstructed timeline spanned three weeks of activity prior to the investigation being initiated.

Deliverable

Professional forensic investigation report suitable for HR and legal proceedings, containing: executive summary, methodology, detailed technical findings with evidence references, timeline reconstruction, and conclusions with confidence ratings.

Key Learnings

Digital forensics requires methodological rigour that cannot be shortcuts. Evidence integrity (hash verification, chain of custody) is not bureaucracy — it is what makes findings defensible. Memory analysis often reveals what disk analysis misses, particularly for attackers who use fileless techniques or attempt to clear disk artefacts. The discipline of correlating evidence across disk, memory, and network sources is what separates a comprehensive investigation from an incomplete one.