HM Haider Mustafa Back to portfolio

DFIR Investigation

TrickBot network and memory forensics.

Packet capture and memory image analysis across two malware cases, focused on payload recovery, infrastructure mapping, and host attribution.

Network case Recovered a disguised DLL and mapped likely TrickBot infrastructure.
Memory case Traced a PDF-led compromise through suspicious process activity.
Output Full report with evidence trail and findings.
Tools Wireshark, NetworkMiner, Volatility, VirusTotal, MalwareBazaar.
Open PDF

Project view

I investigated two malware cases using network and memory evidence to work out what was delivered, how it behaved, and which host it affected.

Case Shape

How the investigation path unfolds.

01 Traffic review

host and payload isolated

02 Payload recovery

malicious DLL identified

03 Memory analysis

process chain validated

04 Attribution

host, user, and behaviour mapped

Basic overview

This project used two separate evidence sources: a packet capture and a memory image. The work focused on recovering the malicious payload, identifying how the malware behaved, and attributing the activity back to the affected host and user.

The aim was to take raw network and memory artefacts, turn them into clear findings, and write those findings into a report in the same way an analyst would hand over a completed investigation.

Packet capture investigation
  • Focused on 10.12.19.104 after reviewing traffic volume and IDS context.
  • Recovered diego.png from HTTP traffic and confirmed that it was actually a malicious DLL.
  • Matched the payload to TrickBot through VirusTotal and MalwareBazaar.
  • Used TLS certificate review to identify likely command-and-control infrastructure.
  • Attributed the activity to host DESKTOP-3kI6Y6G and user smalls.hammish.
Memory image investigation
  • Used imageinfo to identify the correct Volatility profile.
  • Flagged AcroRd32.exe, firefox.exe, and svchost.exe based on timing and injected code.
  • Used malfind, connscan, memdump, and string analysis to recover suspicious network references.
  • Linked the activity to banking-trojan behaviour and likely credential theft.
  • Recovered the Administrator hash as part of the host-level analysis.
What carries into SOC work

The value here is method: trace the artefacts, validate the process path, keep the evidence straight, and write the conclusion so another analyst can follow it.