USA: +1(669)289-8683 
Sign in
Project 3 Hands-on ExercisesTo begin, perform the following steps:
A. Preparation:
1) Familiarize yourself with the resources provided in the Lab Resources section
of this document. You will find helpful open-source links that help you
understand the tools you will use in this lab.
2) Connect to the lab environment following the connect instructions provided in
your classroom (let your instructor know if you cannot locate the connect
instructions). Contact lab support if you need general technical support related
to your virtual lab environment and associated lab exercises. After you have
successfully connected to the lab environment, proceed to the next step to run
the tools associated with this project.
B. Reporting
Reporting is fundamental in an investigation, and because of this it is important
that you find a tool that works best for your reporting style, has the capability to
store artifacts if needed, and can be modified based on customer scoping and
reporting requirements.
i. For this exercise, explore some of the more popular reporting tools and
decide which one you want to use for your investigation. Ensure that all
artifacts are maintained within this tool and note your likes and dislikes
about it.
ii. Examples tools are:
1.
Dradis
2.
Magic Tree
3.
Faraday IDE
4.
Serpico iii. Document some screenshots of your
tool of choice within your report.
C. Wireshark
Wireshark can be used for a deeper understanding of what has happened on the
network, but it can also be utilized for reconstructing certain artifacts.
iv. In this project, you have been given access to a PCAP file from
FINBANK to analyze. As you are analyzing this data in Wireshark, note
some of the interesting interactions you find within the traffic.
v. You should notice some HTTP traffic in the PCAP file you were given
for analysis by entering http into the Wireshark search bar.
vi. When you see an image in PCAP traffic, it can be reconstructed with the
following steps:
1. Right click on one of the packets with the HTTP protocol and
select “Follow –> HTTP Stream”
a. Take note of what you see here in the traffic, as it is
important to understand what is happening in this
interaction.
2. Click File on the Wireshark menu and select “Export Objects –>
HTTP”.
a. You should see several images within the popup. Select
preview on each image to have Wireshark reconstruct and
download them. This should open a directory where the
images are saved.
3. What is this traffic sample telling you? What information can you
piece together from it? Think critically about the pertinent
information and note anything useful for your report.
D. TrID
TrID is a fantastic open-source tool for enumerating filetypes. Attackers may
change a malicious file’s extension in order to perform actions such as uploading
to a web server, avoid endpoint detection tools, and trick monitoring applications
into thinking it is a legitimate file. Once the file is hosted on the network, it can
be changed to its original filetype and executed for exploitation or
postexploitation.
vii. Download and install TrID from it’s source page. This should create a
folder called “trid_w32”. Within this folder you should see the trid.exe
and triddefs.trd. If you don’t see the triddefs.trd file, please go to the
TrID webpage and download the latest version. Place it in this folder.
viii. Thinking back to the Wireshark images we generated, something seems
off about them based on their HTTP stream. Let’s make sure they aren’t
malicious files.
1. Create a new folder in a different directory, as Wireshark saves
images in a temporary directory that will be erased on reboot.
Move images to this new directory, along with the files from the
trid_w32 folder.
ix. Open the command prompt and run TrID against the images you
reconstructed from Wireshark. Take note of some of the different flags
you can add to the TrID command line executable.
x.
Record what these file types are and save them as part of your evidence
gathering process.
E. Log Analysis
Logs are going to be essential to understanding how a compromise happened,
what reach the attacker had into the network, and what may have been accessed
or egressed from the network. Detailed logs can also help an analyst pinpoint
where the attacks came from with a certain level of confidence, but always
remember that attribution can become exceedingly difficult if you are
investigating a sophisticated attack. For the purposes of this course, we are going
to focus on the potential compromise itself, whereas a digital forensics course can
detail more of the attribution aspect of pinpointing an attacker’s origin.
xi. Note the log files you were given access to from the previous lab. What
deductions have you made from these logs thus far? xii. Now we need to do
a deeper analysis using different techniques to continue piecing the story
together for our AAR.
xiii. Some popular methods for parsing and searching logs in a native Linux
environment would be
1. sed
2. awk
3. grep
xiv. For large scale log analysis, any analyst will quickly learn that these types
of native tools are great for searching and manipulating data but fall
short on large datasets. It is important to have a fundamental knowledge
of them for sorting smaller datasets, but you should take a look at some
of the open-source log management tools on the market today.
1. Graylog
2. Logcheck
3. ELK Stack
3) Revisit the “access-2” logfile. What can you correlate between the logfile and
your Wireshark output? Are there any similarities?
4) Try to piece the story together based on the information you see from the
provided artifacts.
a. Where does it look like the attack originated from?
b. What did the attacker attempt to do?
5) Compile your findings and incorporate them in your deliverables for this
project.
II. Lab Resources
Application websites
●
●
●
●
●
ELK Stack: ELK Stack
Graylog: https://www.graylog.org/
Logcheck: Logcheck
TrID: TrID
Wireshark: Wireshark
