Enhancing Cybersecurity Through Live Forensic Investigation of Remote Access Trojan Attacks using FTK Imager Software

ABSTRACT


INTRODUCTION
As per Kelrey and Muzaki's publication, the National Cyber and Crypto Agency (BSSN) of Indonesia saw a 300% surge in cyberattacks via Remote Access Techniques (RAT) in 2022 as compared to the preceding year.In Indonesia, there were 5,874 recorded RAT attacks in 2022 [1].In the current digital era, data and computer system security has become increasingly important.The increase of cyberattacks, such as Remote Access Trojan (RAT) assaults, highlights how crucial it is to safeguard important systems and data [2,3].An attacker can remotely access and take control of a computer or network without the owner's knowledge thanks to a kind of malicious software called a Remote Access Trojan (RAT) [4,5].
A Remote Access Trojan, or RAT, is essentially a software entity that seeks to remotely take over complete control of an infected system in order to accomplish goals relating to system penetration, unlawful monitoring, and data theft.The benefit that the executor will have from being aware of the victim's actions when the target opens the virus might be the driving force behind RAT assaults in this investigation.such is when the intended recipient inputs their account and password [6,7].They are frequently employed in a range of cyberattack scenarios, including as information gathering, system assaults, manipulation, surveillance, and taking advantage of security flaws that are already in place.These factors make RAT attack detection and analysis essential to preserving system and data security [8][9][10].
Live forensic investigation is one method for the investigation, prevention, and identification of cyber threats in real time [11].In this context, "live forensic investigation" refers to a technique that allows for the instant acquisition of digital evidence from an operating system without interfering with its operation.This enables security experts to instantly detect current assaults and take appropriate action.For instance, the FTK imager's disk forensic and memory forensic analysis tools were used in this study to examine the existence of Remote Access Trojan infections.Memory forensics records the data that disk forensics analyzes, and the two disciplines work together continuously.The RAT infection will continue to be recognized even if data is erased by the system or destroyed [12,13].
FTK Imager is one of the forensic tools that security professionals use to gather and analyze digital evidence [14].The application is capable of taking and analyzing live screenshots of the operating system.This makes it possible for security professionals to check into dubious activity and search for signs of trojan assaults using remote access or other unlawful activity.The goal of this study is to learn more about the use of live forensic investigation, and the primary tool for monitoring and evaluating Remote Access Trojan assaults is the FTK Imager software.Therefore, by bettering computer system security, this research will help businesses better safeguard their assets and data against malevolent cyberattacks.
It may be expressed as follows in light of these issues: How is it possible for a Remote Access Trojan to be made in order to target computer users?Even after the virus has been erased or eliminated by the computer, how can I find evidence of its existence?
One way to get around the aforementioned issues is to learn how to make a Remote Access Trojan by using Linux times version 2022.4,from conception to implementation, and how to use the FTK Imager application as a digital forensic tool to locate evidence of hacking activities.The purpose of this study is merely to identify the presence of the Remote Access Trojan virus, even in cases when the infection has been either manually or automatically eliminated by the system.

RESEARCH METHODS
The four steps of this research include preparation, planning, implementation, and outcomes, as shown in Figure 1.(1) Kali Linux installation To develop and execute the virus, the first step is to install Kali Linux on a virtual machine.The installation of Kali Linux as a platform for virus creation and execution, along with the use of FTK Imager to discover the presence of the virus, are the preparatory steps for this research.
(2) FTK imager installation The FTK Imager program is then installed to facilitate hands-on forensic investigation techniques.The purpose of this FTK Imager program is to detect the type of malware targeting the target machine when a virus is executed on it [15].

b). Design
(1) Local network topology When creating the network topology, the goal is to monitor the target's behavior when connected to a local area network that has a malware execution device.Utilizing FTK imager software to conduct live forensic investigations and monitor and evaluate Remote Access Trojan attacks during the design, network topology, and system, design phases.
(2) RAT virus generation It uses virtual machines to produce viruses, and the development of malicious software uses a Remote Access Trojan type of attack that attempts to test computer systems for vulnerabilities [16,17].

c). Implementation
(1) RAT virus attack Conducted penetration tests for the Remote Access Trojan virus by using file sharing functions to distribute it and offering victims the lure of downloading and running malware files that have embedded images.
(2) Investigation into the attack The next step in the investigation process is to determine what type of malware infected the target machine after the target ran the infection [18,19].

Result investigation
The result stage is the last stage.Findings drawn from the steps of developing the Remote Access Trojan virus, delivering it to the target, and identifying the type of attack fall under this stage.In particular, this step offers a thorough explanation of the efficacy of the virus as well as the analysis process to find the infection on the computer by using the FTK Imager program.

RESULT a). Preparation
According to the study methodology presented, the use of FTK Imager software for live forensic investigation to monitor and analyze Remote Access Trojan attacks will take place in four stages: planning, designing, implementing, and analyzing the findings.Installation of Kali Linux as a platform for the creation of a Remote Access Trojan virus illustrated in Figure 2 below will be the outcome addressed.
Based on Figure 2, many of the IT and security solutions available on Kali Linux may seem complicated to the average user.A large number of its capabilities are aimed primarily at network research and security testing.Many cutting-edge technologies for network security, hacking, and penetration testing are available in Kali Linux.Its strength in the field of IT security is demonstrated by this [20].

Figure 2. Kali Linux desktop
In Figure 3, cybercrime investigators often use this method to collect digital evidence from a device.Professionals in the field of digital forensics use it extensively due to its dependability and investigative skills.FTK Imager is helpful in various digital investigation scenarios due to its capabilities, which include file viewing, metadata viewing, and file searching.Even for forensic novices, FTK Imager's userfriendly graphical user interface makes the process of viewing digital evidence simple [21].

Figure 3. FTK imager b). Design
Before attacking the target machine, the executor must understand the network path that he follows in order to develop a Remote Access Trojan virus.This may be done by installing Linux several times and using FTK imager as a live forensic research tool.As seen in Figure 4, the executor will connect to the same network segment as the intended network.Communicating with the target will be simpler for the executor as a result.
In  The msfvenom command is used to generate the reverse_tcp meterpreter payload for windows 64 bit in executable format and save it in the "Articles.pdf"file [22].The command will generate a Windows executable meterpreter reverse shell which when run on the victim will connect back to IP 10.10.7.227 on port 4444 [23].

Figure 5. Virus generation
In Figure 5, To initiate the attack against the target, this step spreads the Remote Access Trojan infection [24].The next stage is for the executor to instruct the target on how to access the prepared file, after moving the virus file by modifying the .exeextension into a PDF extension.

c). Implementation
The executor will exchange data with the target in Figure 6 below once it has created a Remote Access Trojan infection.By approaching the target with a bait, the executor can get complete access to the target machine by tricking the victim into opening the viral file.

Figure 6. Virus transfer
In Figure 6, Using file sharing, the attack was conducted against Windows 11 Home Single Language version 22H2 using the Kali Linux operating system, version 2022.4.Once the target executes a malicious file with a PDF extension, the executor will have full access to the target computer and can download, delete, edit and upload files as needed.If used improperly by careless people, this may be dangerous.The executor will easily trick the target into opening the file containing the virus by simply adding the .exeextension file into the PDF.
In Figure 7, Msfconsole is the main console interface for the Metasploit Framework [25].It allows users to interact with and execute Metasploit modules from the command console.Some of the command line functions of msfconsole are listed in Table 1.
In short, a reverse TCP payload advanced meterpreter intended for Windows x64 computers is configured with this command.The meterpreter will be installed and a reverse TCP connection will be established to the attacker when the Windows x64 target is successfully exploited [26].
In Figure 8, The executor will have full access to the files generated by the executor (virus) once the target opens the virus.To determine if the virus created by the executor is viable, the executor will use this console to perform a penetration test on the target machine.During the test run, the executor will track the actions performed by the target using Kali Linux tools.The executor will display the actions performed by the target on the website on the console when the target enters the login and password to access the uika learning website portal.so that the executor knows the target's password and login [27].Multi It shows a multi exploit handler, which means it can be used with any payload and supports multiple targets by default.
3 Handler A handler is a component that "handles" the interaction and communication with the payload that has been uploaded to the target after being exploited.The handler captures connections back from the payload.

Set LHOST
LHOST serves to determine the IP address where the payload will connect.The value 10.10.7.227 in LHOST means that the attacker has an interface with that IP address.LHOST is the "home" or destination endpoint that will be used to listen to the reverse shell payload's reverse connection.

Set LPORT
LPORT defines the TCP port that will be used to listen to the reverse connection of the reverse shell payload.The value 4444 is a commonly used port, but you can also use other ports such as 80, 443, 22, etc. LPORT the destination port where the reverse shell payload listener will wait for a TCP connection from the target after the payload is executed.6 Set payload This is the command to configure what payload to use in the exploit.7 Windows/x64 This section specifies the payload targeted for the Windows operating system 64-bit (x64) platform.8 Meterpreter This is the Metasploit meterpreter payload, which is a very feature-rich advanced payload for post-exploitation control.9 Reverse_tcp It specifies the meterpreter's reverse connection technique using the TCP protocol.Reverse TCP means the exploited Windows target will connect back to the attacker.

d). Result investigation
The results of the target activity will be logged in the Kali Linux operating system, as seen in Figure 9 below, after the target activity being monitored using the keyscan tool.Keyboards and other devices that are plugged into a laptop or computer are the results that are shown.A forensic assessment of the virus-affected target laptop may be carried out using the methods shown in Figures 10 and 11.This will simplify the process of determining whether the infection is present.
In Figure 9, The keyscan_start and keyscan_dump commands are useful features in the Metasploit Framework on Kali Linux that are used to perform keylogging on a target.It is important to emphasize that the usage of this keylogging approach is just for research purposes, to evaluate if a virus that has been generated and approved by the appropriate parties is suitable enough to be tracked down [28].The command line above whose function is attached in Table 2.

Figure 9. Virus execution
This research found that the victim's computer system had malicious software running on it during the investigation phase of the Remote Access Trojan incident.The perpetrator created malicious software that was intended to run on the intended target.Therefore, the presence of malicious software is tracked using digital forensic tools such as FTK Imager.Locating malicious software on a system can be done using two main methods.

e). Disk forensic
In Figure 10, The forensic investigation tool used in this test is FTK Imager software.By examining forensic memory and drives.The file generated by the executor can be seen in the image above thanks to the use of disk forensics techniques by FTK imager.The executor was able to reach the target machine thanks to the file.Disk forensics is a field of study that focuses on the collection, organization, and analysis of digital evidence relating to storage media, including hard drives, USB flash drives, CDs, DVDs, and more.This field is often also referred to as computer forensics or digital forensics [29].

Figure 10. Hard drive storage investigation f). Memory forensic
In Figure 11, The file generated by the executor can be seen in the image above thanks to the use of memory forensics techniques by FTK imager.After being deleted, the RAT malware file can be found in the following file: Documents \users\ridwa\OneDrive\Desktop\uye\Article.pdf.The executor was able to reach the target machine because of the file.The practice of examining the volatile memory (RAM) of a device to find digital evidence for the investigation of a cybercrime or security incident is known as memory forensic analysis [30].The analysis must be performed while the device is still operational because volatile memory (RAM) is used to store data that is lost when it is turned off.RAM stores information about open files, open processes, network connections, and so on.Memory forensic analysis can be done for various purposes such as cyber crime investigation, malware analysis, information security incident response, digital forensics, etc. [31].The keylogging procedure on the target starts with this command.Every keystroke the target user makes on the keyboard is captured through keylogging.This command is often used after the target has been successfully compromised in the first place, either by using a Meterpreter session or an exploited reverse shell.

Keyscan_dump
This command is used to display or discard all keylog results that have been logged to date after the keylogging process has started.All keystrokes and keyboard inputs made by the target user-including potentially highly sensitive ones such as passwords, private communications, and proprietary information-will be displayed in the results.

CONCLUSIONS
The four steps of this research methodology are as follows: First, preparation, which involves the installation of FTK Imager and Kali Linux.The first step in building and executing a virus is installing Kali Linux, while the first step in starting a forensic investigation is launching FTK Imager.Next, proceed to the design stage, which includes creating a Remote Access Trojan virus and building a local network topology.Executors will find it easier to identify the path they want to target to deliver the virus if they know the local network topology.Next, perform implementation, which includes investigating and using the Remote Access Trojan virus to launch the attack.Upon transmission of the virus through file sharing, the executor tricks the victim into opening the malicious file.After that, the executor will have full access to the intended laptop or PC.Live Forensic Investigation is used to conduct an investigation of the attack to determine if the infection exists.Digital proof of RAT assaults in the.pdf extension was found in the findings of live forensics.Despite the system's deletion of the virus, FTK Imager demonstrated efficacy in identifying RAT assaults.The primary contribution of this work is a forensic investigation approach that may uncover digital evidence of remote access attacks (RATs) by employing FTK imager.

Figure 4 ,
The logical topology describes the IP Address addressing in the network structure built by researchers in the CSN Lab, and the local network structure connected to the network center of the Ibn Khaldun University Bogor Rectorate Building, the user or laptop used for scanning is connected to the HS-NCC wireless Access Point, and the HS-NCC Access Point is connected to Swich 02 Cisco SF 100-24 port 10/100, and likewise on the PC client in the CSN Lab room is connected to Switch 03 (PC LAB CSN) Cisco SF 100-24 port 10/100, then switch 03 is connected to Switch 02 (FT CENTER).

Figure 4 .
Figure 4. Logic network topology Cisco SF 100-24 port 10/100, then switch 02 is connected to Switch (FT CENTER) Cisco SF 100-24 port 10/100 in the faculty server room and the ft center switch is connected to the CCR1009-7G-1C-1S+router with local IP 10.10.0.1/21 and dhcp server for IP addressing on the CSN Lab network with dhcp server 10.10.XXX.XXX/21.Then from the CCR1009-7G-1C-1S+router on interface 01 with IP 10.0.1.24/24connected to the RB1100Dx4 router in the rectorate server room with IP 10.0.1.1/24.The msfvenom command is used to generate the reverse_tcp meterpreter payload for windows 64 bit in executable format and save it in the "Articles.pdf"file[22].The command will generate a Windows executable meterpreter reverse shell which when run on the victim will connect back to IP 10.10.7.227 on port 4444[23].

Table 1 . Explanation of virus startup command line No. Command Line Function 1
ExploitThis specifies that we load the Metasploit exploit module.An exploit is code that takes advantage of a vulnerability or bug to execute a payload. 2