DF (Digital Forensics) is a module in Semester 2.2 of the Cybersecurity and Digital Forensics (CSF) course in Ngee Ann Polytechnic (NP).
This repository documents a forensic investigation of a data exfiltration incident involving a malicious USB device, cross-environment execution, and a Discord-based command-and-control (C2) channel.
This project reconstructs a malware-related data leakage incident through structured forensic analysis.
The investigation emphasises:
- Windows host artefact analysis
- Removable media (USB) examination
- LNK (shortcut) file analysis
- Windows Subsystem for Linux (WSL) artefact tracing
- Discord-based Command & Control (C2) activity correlation
- Timeline reconstruction
The goal was to establish a coherent sequence of events across multiple environments without relying on assumptions.
The case involved:
- A USB device introduced into a Windows workstation
- Execution activity linked to a suspicious LNK file
- PowerShell Script-based activity within the Windows environment
- Malware execution observed inside WSL
- Communication and data exfiltration via a Discord bot
- Analysis of removable media artefacts
- Shortcut (LNK) file metadata examination
- Browser artefact review on the attacker machine
- PowerShell console history analysis on the attacker machine
- Identification of malware activity inside WSL
- Evidence of systemd-managed execution within the Linux subsystem
- PowerShell script activity used to deploy and install the bot into WSL
- Cross-environment interaction between Windows host and WSL filesystem
- Reverse engineering of Python-based malware
- Analysis of remote command execution behaviour
- Correlation between local artefacts and Discord-based data transmission