Wireshark
CyberCorp1
βοΈ Spoiler alert!
Case Details
Artefacts in posession: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps. I’ve decided to analyse each artefact, what can I get from it in this specific case and how. Then, I am going to outline my strategy in approaching this case.
We are looking for indicators of compromise. There are no details as to what is the group and what was its aim. But itβs known that there was abnormal traffic detected that has launched this IR process. So, at least, we must have some suspicious traffic, possibly open or terminated connections. These should have been launched by some process, so we are looking for malware. Also, since the attacker needed an account to get in, I will be looking for an account take over attempts and possibly, new account creation.
π Network Traffic
Collection
Most of the devices keep some logs. As for the network-related issues are switches, routers, firewalls, IDS and IPS, web proxies, DC and authentication servers, DCHP servers and application servers.
SIEMs are log aggregators. When configured correctly, all logs and events from all systems in the enterprise flows to a centralised repository where they can then be analysed. Sometimes these SIEM analyse what’s normal and what’s not. However, they are quite costly π°.
To Carry Out MockInv'estigation. Part 1
βSPOILER ALERT!
π 16/06/2021 , Wednesday
π° 09:21 PM.
It was a very sunny day and a very nice a long walk that my daughter and I had before lunch. I feel uplifted because there is finally enough sun and green grass in my life! Unfortunately, no coffee today, since we don’t have BonAcqua, which might be not the best for drinking, but is indeed one of the best to prepare coffee (quoting my husband).
π TCP
This article collects the basics of TCP protocol. Its friend UDP (transport layer protocol as well) is faster but less reliable.
Segment structure
Intro
The desired prerequisite for this article is this. It’s also recommended to read about data structures. A very good book that I’ve accidenatlly stumbled upon is Brian Carrier’s File System Forensic Analysis [3]. I also strongly believe, that the best way to learn is to activate different parts of the brain. Simple reading is not enough, that’s why I’m trying to mix in pictures and emoji. Also, metaphors help and analogies which I also try to provide. But it would really help, if you installed some packet capture program (Wireshark is an example), opened some network interface and observed the stuff I’m talking about yourself.