And date and time when the incident occurred
2. Detection: This is often a complex endeavor. The detection phase is the part of the incident response process where the organization first becomes aware of a set of events that possibly indicate malicious activity or constitute a threat to confidentiality, integrity, or availability. Detection can come from internal or external sources, or both.
3. Analysis: In this step, personnel begin collecting evidence from systems, such as running memory, log files, network connections, and running software processes. Depending on the type of incident, this collection can take as little as a few hours to several days. The goal of the analysis step is to determine the root cause of the incident and to reconstruct the actions of the threat actor from initial compromise to detection.
Conducting an Incident Response Investigation (4e) Digital Forensics, Investigation, and Response, Fourth Edition - Lab 04
network. In the case of a malware infection, the incident response team may run an enhanced anti-malware solution. Other times, infected machines may be wiped and reimaged. Other activities include removing or changing compromised user accounts. If the team has identified a vulnerability that was exploited, vendor patches are applied, or software updates are made. Recovery activities are very closely aligned with those that may be found in an organization's business continuity or disaster recovery plans.
1. In the first part of the lab, you will analyze a PCAP file taken during a recent incident.
2. In the second part of the lab, you will use E3 to identify forensic evidence related to the incident.
Conducting an Incident Response Investigation (4e) Digital Forensics, Investigation, and Response, Fourth Edition - Lab 04
Learning Objectives
Upon completing this lab, you will be able to:5. Create an incident response report to document your findings.
Topology
This lab contains the following virtual machines. Please refer to the network topology diagram below.
The following software and/or utilities are required to complete this lab. Students are encouraged to
explore the Internet to learn more about the products and tools used in this lab.
Upon completion of this lab, you are required to provide the following deliverables to your instructor:
SECTION 1
|
|---|
2. Any additional information as directed by the lab:
|
|
|---|
2. Any additional information as directed by the lab:
 |
|---|
1. Review the Tutorial.
Frequently performed tasks, such as making screen captures and downloading your Lab Report, are explained in the Cloud Lab Tutorial. The Cloud Lab Tutorial is available from the User menu in the upper-right corner of the Student Dashboard. You should review these tasks before starting the lab.
In the next steps, you will open the NetWitness Investigator application and import the PCAP file provided by your colleagues on the incident response team.
1. On the vWorkstation desktop, double-click the NetWitness Investigator icon to open the NetWitness application.
Collection from the menu to open the New Local Collection dialog box.
New Local Collection dialog box
5. In the Collection pane, right-click the yourname Incident Response collection and select
Import Packets from the context menu to open the Open dialog box.
Open dialog box
Navigation View
Note: In NetWitness Investigator, collections are explored using the Navigation View. The Navigation View contains multiple reports, which are displayed within the Navigation View as individual headers, such as Alerts, Service Type, Source IP Addresses, and more.
Toggle Timeline
9. In the Time Graph, click the Bar Chart button to display the time graph as a bar chart.
10. Make a screen capture showing the Time Graph.
11. Click the Toggle Timeline button to hide the Time Graph.
13. In the Navigation View, locate the Source IP address and Destination IP address reports.
Note: As you drill down into specific reports, NetWitness will keep track of your current location in the Drill Path at the top. If you need to return to the Navigation View for the yourname Incident Response collection at any time, click the yourname Incident Response link within the Drill Path.
15. In the Session List View for 157.165.0.25, locate the session that started on 2021-Jul-13 15:33:00.
Page 14 of 35
Part 2: Analyze a Disk Image for Forensic Evidence
E3 icon
Note: E3 may take several minutes to load. The E3 welcome screen opens with shortcuts to the most common activities that forensic investigators will perform within the tool.
3. In the New Case dialog box, type yourname Incident Response in the Case name field,
replacing yourname with your own name, then click Continue to create your new case file and
4. In the Add New Evidence dialog box, click the Image File category, then select the Auto- detect image Source type and click OK to continue.
Open dialog box
6. When prompted, click OK to accept the default name for the drive image and add the data
Note: The yourname Incident Response case will appear in the Case Content pane. The Case Content pane is the primary display and navigation area for all evidence in the open case file. Within the Case Content pane's tree-view structure, you can access case nodes, evidence nodes, evidence type nodes, folder nodes, and data grids/streams. Technically, the Case Content pane does not store the actual evidence, but provides a series of links to elements within the physical evidence.
When you select a specific node or grid within the Case Content pane, the contents of the enclosing folder or database will be displayed in the Data Viewer in the center pane. Within the Data Viewer, you can select individual files, folders, and records. Additional information about the currently selected node, grid, file, folder, or record will be displayed in the Viewers pane on the right, which provides multiple ways to view your current selection.
Page 19 of 35
Page 20 of 35
11. When prompted, click OK to close the MS Outlook Database Settings dialog box without
making any changes.
Storage\Root - Mailbox, then expand the IPM_SUBTREE folder node to display the
structure of the email database.
Search from the context menu to open the Advanced Search pane in the center console.
Page 23 of 35
Page 24 of 35
Start button
17. In the Results pane, double-click the search results to display the email in the E-mail Data pane and open the enclosing folder in a new Data Viewer tab.
You may need to extend the E-mail Data pane to see the full email.
19. Close the E3 window.
Part 3: Prepare an Incident Response Report
Note: In the next steps, you will use the information gathered during your investigation to complete an abbreviated version of the sample Incident Reporting Template provided by US-CERT. At this point in your investigation, you should have evidence demonstrating that data was exfiltrated from the corporate network by one Dr. Evil via the company's own FTP server, and that Marvin Jonson provided the FTP credentials to Dr. Evil over email.
2. Review the information you gathered in Parts 1 and 2 of this section.
Name
Insert your name here.Incident Priority
Define this incident as High, Medium, Low, or Other.
Systems Affected by the Incident
Define the following: Attack sources (e.g., IP address, port), attack destinations (e.g., IP address, port), IP addresses of the affected systems, primary functions of the affected systems (e.g., web server, domain controller).Users Affected by the Incident
Define the following: Names and job titles of the affected users.
Part 1: Identify Additional Email Evidence
Note: After successfully completing an initial incident response report and submitting it to the rest of the incident response team and senior leadership for review, the security team quickly isolated the FTP server and locked all of Marvin Jonson’s accounts. While your peers have commended you for your quick response and detailed documentation, you are concerned that your initial findings do not encompass the full scope of the incident, and that additional data may have been exfiltrated through other means. If Marvin was so easily compelled to give up access to the company FTP server, what else might he have done?
4. In the center pane, double-click the marvin.jonson@outlook.com.ost database to open it.
5. In the Case Content pane, navigate to marvin.jonson@outlook.com.ost\Outlook Offline Storage\Root - Mailbox, then expand the IPM_SUBTREE folder.
You may need to scroll to the right to see the Filter sender and recipient section.
8. Click Start to run the search for emails from Dr. Evil.
11. Make a screen capture showing the email from Dr. Evil reminding Marvin to update the firewall and scheduler.
Part 2: Identify Evidence of Spyware
Note: Similar to the Data Triage function, the Incident Response node is an E3 function that automatically aggregates some of the most high-value sources of evidence in the Windows Registry, which allows investigators to quickly surface relevant evidence.
2. In the Incident Response node, right-click the Scheduled Tasks category and select Advanced Search to open a Advanced Search pane in the center console.
7. Document the port used for inbound connections to the keylogger and the name and location of the keylogger executable.
8. Repeat steps 2-4 on the Services category, this time running a search for the name of the keylogger executable.
11. Repeat steps 2-4 on the Activity 1-194 table, running a search for the name of the keylogger executable.
12. In the results, identify the first and last start times for the keylogger.
Note: Within the Properties pane, you should also see a value titled ActivityType. Activity Type will contain either a 5 or a 6, where 5 means that the user opened the application and 6 means that they interacted with the application. Using this information, you should be able to identify whether Marvin interacted with the keylogger or simply opened it.
16. In the results, review the values in the ActivityType column.
keylogger and make other unauthorized changes to his workstation, as well as concrete evidence from the Windows Registry that he followed through on those demands. In light of your new revelations, you will need to complete a second Incident Report documenting these new discoveries. As noted within the template, if the information or assessment for a specific header has not changed since your first report, you can simply respond with Unchanged. The objective of this second report is to describe the delta between your first report and your fuller understanding of what occurred.
1. Review the information you gathered in Parts 1 and 2 of this section.
Date
Insert current date here.Name
Insert your name here.
Systems Affected by the Incident
Has the list of systems affected changed? If so, define any new systems or new information.
Page 33 of 35
Section 3: Challenge and Analysis
Note: The following exercises are provided to allow independent, unguided work using the skills you learned earlier in this lab - similar to what you would encounter in a real-world situation.
Part 2: Identify Additional Evidence of Spyware
After resuming your investigation, you suddenly recall seeing another suspicious email in Marvin's Inbox - one that was allegedly from the Security team and made reference to monitoring software. As a Giggly Goofo employee, you do not recall receiving a similar request from your colleagues on the Security team, and as a trained professional, you are quite certain that the Security team would not make such a request via email (they would just install it quietly during a monthly software update).
