2017-02-11 - TRAFFIC ANALYSIS EXERCISE - A VERY SPECIAL ONE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive with a pcap of the traffic:  2017-02-11-traffic-analysis-exercise.pcap.zip   6.7 MB (6,717,952 bytes)
• Zip archive with the alerts (image, text, and RTF files):  2017-02-11-traffic-analysis-exercise-alerts.zip   425.1 kB (425,146 bytes)

 

SCENARIO

Baby, it's cold outside.  Why don't we curl up by the fireplace, sip some champaign, and listen to some romantic music?  I've covered the floor with rose petals, so watch your step!  That's right, just relax.  I've got a special surprise for you.

Shown above:  Now that I've set the mood...

 

The pcap contains traffic from three different hosts.  You also have IDS alerts to help you figure out what's going on.  None of this has anything to do with Valentine's day.

 

QUESTIONS

BASIC TASKS:

• Document the date, start time and end time of the pcap in UTC (GMT).
• Document the IP address of the three hosts in the pcap.
• Document the mac address of the three hosts in the pcap.
• Document the type of computer (Windows, Mac, Android, etc) fore each of the three hosts in the pcap.
• Determine which host(s) were infected.

 

MORE ADVANCED TASKS:

• Document the family (or families) of malware based on indicators from the pcap.
• Document the root cause for any infections noted in the pcap.

 

FINAL TASK:

• Draft an incident report for the infected host(s).
• If more than one host is infected, draft a separate incident report for each host.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.