Waiting for answer This question has not been answered yet. You can hire a professional tutor to get the answer.
Browse to the folder where you saved the exam’s PCAP file and open EK.pcap. This capture file contains traffic related to an exploit kit infection. We will answer some basic questions about the PCAP
Browse to the folder where you saved the exam’s PCAP file and open EK.pcap. This capture file contains traffic related to an exploit kit infection. We will answer some basic questions about the PCAP but feel free to explore deeper if you’d like to see how the malware works. There is a web request on a non-standard port, this is what we will focus on.
Exam Questions:
1. Which IP address is requesting web page information? 5 points
2. What is the FQDN of the website involved in the request? 5 points
3. What is the IP address of the remote site? 5 points
4. What non-standard port is the request over? 5 points
5. What is the name of the file being requested? 5 points
6. You have been asked if there are any suspicious domains in the capture. Please provide at least one domain. 5 points
7. [Extra Credit] Can you identify the malicious files or scripts that were transferred? 10 points
Section 2 (30 points):
You will need to download two (2) files in order to complete this section – see Blackboard/Course Links/Final Exam – md5deep-4.4.zip and Files_to_Hash.zip
- md5deep NOTES:
- Windows users: if you are using a modern version of the Windows operating system (e.g., Windows 7, 8, etc.), use the 64-bit versions of the various hashing algorithms (e.g., sha256deep64.exe, md5deep64.exe)
- Mac/Linux users: if you are using Mac OS X, or a Linux-based operating system, you can use the openssl suite of hashing algorithms to complete this exam. Be sure to check out the openssl manual page by typing man openssl at a terminal/shell prompt
- md5deep NOTES:
Exam Questions:
1. Use two hashing algorithms of your choice (e.g., md5 and sha256), compute the hash value for each of the four (4) files in Files_to_Hash.zip file. Also, take a screenshot of your screen after you compute each hash. Paste the hash value in your Word document. 15 points
2. In 500 words or less, explain why these hash values are different between files. Also, how could you get the hash value to change? 10 points
3. What is it called when two different files produce the same hash value using the same algorithm? 5 points
4. When would you use hashing in forensics? How does it align with the CIA triad?
Section 3 (45 points):
You will be using Volatility to analyze the memorydump.img file for the following questions.
Exam Questions:
1. What profile can you use to run plugins against this capture? 5 points
2. What is the PID of firefox.exe? 5 points
3. What process started firefox.exe? 5 points
4. What is the name of the user that ran the dd.exe command? 10 points
5. Provide one URL or domain that this user visited and which process initiated the connection. 10 points
6. Give one external IP the system connected to and the name/PID of the process that started the connection. 10 points
Section 4 (45 points):
1. Since suspicious activities often utilize the browser, what evidence could you gather from web browser artifacts?
2. During the discovery process analyzing a hard drive, you discover a file called top secret with no file extension. How can you identify this file?
3. What is the difference between file slack and file system slack?
4. What is the Windows registry used for?
5. How can you find open TCP or UDP connections in Windows and Linux?
6. Give at least three examples of artifacts that can be found in memory.
7. What memory structure is used to represent a process list?
8. You arrive on-site to an investigation and are shown a suspect’s computer. What do you collect first?
9. Given a PCAP, how can you extract files?