Network Forensic Report | PCAP Network Packet Capture Analysis
MATERIALS
The teaching materials for this scenario include:
- XYZ – about 60MB
- Slides introducing the problem
- Network Forensic Report Template (you should follow this)
SCENARIO
You are a security administrator at the prestigious (and fictional) XYZ School.
XYZ School IT department received an email from Lily Tuckrige, a teacher in the Chemistry Department. Tuckridge has been receiving harassing emails and she suspects that they are being sent by a student in her class Chemistry 109, which she is teaching this summer. The email was received at Tuckridge’s personal email account, lilytuckrige@yahoo.com. She took a screenshot of the web browser and sent it in.
The system administrator who received the complaint wrote back to Tuckridge that They needed the full headers of the email message. Tuckridge responded by clicking the “Full message headers” button in Yahoo Mail and sent in another screenshot, this one with mail headers.
The mail header shows that the mail message originated from the IP address 140.247.62.34, which is a XYZ school student dorm room. Three women share the dorm room. XYZ provides an Ethernet connection in every dorm room but not Wi-Fi access, so one of the women’s friends installed a Wi-Fi router in the room. There is no password on the Wi-Fi.
Because several email messages appear to come from the IP address, XYZ school decides to place a network sniffer on the ethernet port. All of the packets are logged. On Monday 7/21 Tuckridge received another harassing email. But this time instead of receiving it directly, the perpetrator sent it through a web-based service called “willselfdestruct.com.” The website briefly shows the message to Tuckridge, and then the website reports that the “Message Has Been Destroyed.”
You have been given the screenshots, the packets that were collected from the Ethernet tap, and the Chem 109 roster.
Your job is to determine if one of the students in the class was responsible for the harassing email and to provide clear, conclusive evidence to support your conclusion.
Hash values for XYZ.pcap:
| Algorithm | Value |
| MD5 | 9981827f11968773ff815e39f5458ec8 |
| SHA1 | 65656392412add15f93f8585197a8998aaeb50a1 |
| SHA256 | 2b77a9eaefc1d6af163d1ba793c96dbccacb04e6befdf1a0b01f8c67553ec2fb |
(Note: Because packet capture files contain timestamps for each packet, this scenario needs to have a date and time when it takes place. This scenario takes place in Summer 2008. The date and time stamps are not relevant in solving the problem set.)
report Instructions
- You will need to form a group of two students.
- Follow the template provided to write this report and use the same section’s structure. Note that this template is prefilled with information for another scenario that is not related to the case in hand.
- Generally, your report should include the sections provided below
- In Self review section, each student in the group should write a paragraph describing his contribution to the report and the percentage he contributed to each section and subsection of the report.
1. Executive Summary
2. Introduction
2.1 Network Capture File details
2.2 Network Components Identified
3. Methodology
3.1 Tools Used
3.2 Steps Involved
3.3 Handling Data
4. Detailed Findings
4.1 Important network payers
4.2 Network Structure
4.3 Activity Timeline for the attack
4.4 Background evidence
5. Supporting Evidence Presented
6. Conclusions
7. Self-review section