2016-09-20 - TRAFFIC ANALYSIS EXERCISE - HALLOWEEN SUPER COSTUME STORE!
- ZIP archive with a PCAP of the traffic: 2016-09-20-traffic-analysis-exercise.pcap.zip 261.8 kB (261,786 bytes)
- ZIP archive with artifacts from the infected host: 2016-09-20-traffic-analysis-exercise-artifacts-from-infected-host.zip 339.6 kB (339,552 bytes)
- ZIP archive with some associated emails: 2016-09-20-traffic-analysis-exercise-emails.zip 31.3 kB (31,288 bytes)
All ZIP files on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
It's September, and Halloween is fast approaching. With our current economy, a wide variety of stores have gone out of business. All that space is ready to be taken over for the next month or two as temporary Halloween-themed costume stores!
Shown above: This one's perfect!
You've recently been hired as a Security Analyst at a place called "Halloween Super Costume Store!" One day, only you and one other employee are at work. You're in the back room monitoring what little network traffic there is. The other employee is Roger. His nickname is "Roger Rabid" due to the costume he always wears. Since working with him, you've never seen Roger without it.
Roger: May I help with your selection of Halloween costume?
Potential customer: Aaaaaaaaaaaaaah!
It's a school day, and not many people are at the store. When business is this slow, Roger uses a computer near the front desk to check his mail and browse the web. It's his personal desktop. He spends so much time at work that the store manager allowed him to bring it in.
Suddenly, you hear a scream of terror, but the sound didn't come from one of the customers. That scream came from Roger!
You rush to the front desk to find Roger in a panic. He tells you his computer started acting crazy and he had to unplug the power cord. When you ask for details, he only tells you it's hard typing with his over-sized creepy monster hands.
Shown above: Yep, bad for typing. It's the only thing you agree with Roger about.
You take Roger's computer and conduct some forensics. You determine his IP address and acquire a copy of the network traffic during the time of the incident. You also noticed Roger received a few emails, so you collect the messages.
You now have the following:
- A pcap of the network traffic from Roger's computer
- Some artifacts from the infected host
- Some emails Roger received
You're ready to write a report to show management what happened. The report should contain the following:
- Host IP address
- Host MAC address
- Host name
- User name
- Date and time of the activity
- A brief description of what happened
- SHA256 hashes for any malware from the infected host
- Click here for the answers.
Click here to return to the main page.