Malware AnalysisDigital Forensics

Digital Forensic Investigation – Rebel Malware Analysis

Digital Forensic Investigator·Nov – Dec 2024

Overview

A forensic investigation of a suspected malware developer's workstation, focused on analyzing the 'Rebel' malware framework. The goal was to recover deleted and encrypted artifacts, understand the malware's persistence mechanisms, and trace its C2 exfiltration channels — building a complete evidence chain for attribution.

The Challenge

The suspect had deliberately encrypted key files, wiped logs, and used anti-forensic techniques to slow investigation. The primary artifacts — encryption keys, deleted staging files, and C2 traffic — had to be recovered from disk images and memory without corrupting the chain of custody.

The Solution

Acquired and analyzed full disk images using FTK Imager and Autopsy. Recovered deleted files using PhotoRec, and decrypted protected archives by identifying key material in recovered artifacts. Used Wireshark to analyze captured network traffic and reconstruct C2 communication patterns. Documented every recovery step to maintain chain of custody.

Tech Stack

AutopsyPrimary forensic analysis platform for disk image examination

FTK ImagerForensic disk imaging with hash verification

VeraCryptEncrypted volume analysis and key recovery

PhotoRecDeleted file recovery from unallocated disk space

WiresharkNetwork traffic capture and C2 communication analysis

Outcomes

▸Recovered encrypted files and reconstructed deleted staging artifacts
▸Identified Rebel framework persistence mechanisms (registry keys, scheduled tasks)
▸Traced C2 exfiltration channels through Wireshark packet analysis
▸Delivered complete forensic timeline report with chain-of-custody documentation

← Back to all projects View Artifact ↗