Objectives

The objectives of this assignment are to:

• reinforce your understanding of the usefulness of network traffic in

computer forensic investigations;
• reinforce your understanding of the different tools and techniques
that can be used to analyse network traffic at each of its layers;
• demonstrate to you the usefulness of each of the different network
layers in interpreting the activities present in network traffic
captures; and
• reinforce the importance of concise and accurate reporting of the
results.

Task
Your task is to perform an analysis of the network traffic capture
contained in the file:
“Inn550-2010-assignment2.pcap”

The main tool you will need to perform the analysis is WireShark. Note
that the file contains a lot of packets (67,995 in total) so you will need to
be clever about how you perform the analysis. Looking at each packet
individually will not be time well spent.
The network traffic capture was obtained from the host with the IP
address 58.168.247.171. It is suspected that this host was compromised
and that details of what happened after the computer was compromised
are contained within the provided file. You should try to determine the
nature of the compromise and detail the activities undertaken by the
perpetrator. Note that the network traffic capture file contains no Layer 2
network data so you do not have any details about the link layer.
You should verify that you have a correct copy of the file:

MD5 value (inn550-2010-assignment2.pcap.gz):

01b8280d3dc7c0af5824f93d2ed01c19

MD5 value (inn550-2010-assignment2.pcap):

8f308c8ae8efb5402382f9f884f0436a

While WireShark will be very useful to you during your analysis you should
explore the use of other tools to assist with your analysis. Examples of
tools that may be usefu) include: tcpflow, whois, GeoIP, Snort, and
pyFLAG. You do not have to use any of these tools - you might find other
tools that are more useful. You should, however, aim to use at least two
(2) tools in addition to WireShark. Clearly you should not report on every
packet! You need to think about how to group together related packets
and summarise (or characterise) the activity that is occurring within them.
The following section should give you a clearer idea of what your report is
expected to contain.

Further Details
You report should include discussion of the following:

1. Your introduction should provide a high-level summary of the capture

file and its contents.
When was the capture file created? How many packets does it contain?
How many
IP end-points are present? What are the main types of traffic, and so on .

2. A section which describes, to the extent possible, the nature of the host
from which the network traffic capture was obtained. This should include,
at least:
_ identify the location and owner of the IP address being monitored;
_ a list of the services running on the monitored host;
_ a summary of the types of traffic that the host receives;
_ a summary of the traffic initiated by the monitored host;
_ where possible, give an indication of the versions of the server and client
applications observed in the traffic.

3. Provide a detailed description of the nature of the web server running

on the monitored host. Describe the directory hierarchy and the nature of
the content. Try to reconstruct at least one HTML rendering of a typical
page from the site.

4. A section which presents a timeline of the activities occurring within the

traffic dump. Describe in your own words when, who and what type of
interaction took place. Also note any significant or interesting aspects of
the communications.
You need to make a reasoned judgement when deciding how much detail
to present in the timeline. For example, if it appears that a host is
interacting with a particular web site you need not detail every URL
retrieved, but rather, if you can, describe the nature of the material being
retrieved. Or, if an activity is repeated many times you need not list every
instance of the activity, instead consider providing the first time, last time,
and the frequency of the event. If you don’t think it provides any extra
information to the reader of your report to provide the fine details of the
interactions taking place, then don’t include that level of detail in your
report.
5. Try to identify when and how the monitored host was compromised.
Provide a detailed description of the method used and describe the
actions undertaken by the perpetrator following the compromise.

6. Provide a detailed discussion of the methods you used to complete this

assignment. For each task identified above you should:
_ describe the tools and techniques you used in detail;
_ list any WireShark filters that you used;
_ describe any approaches you used to simplify the task; and
_ identify limitations of the tools that you used that made the task more
difficult.

7. Finally, you should conclude your report with a summary of the main
findings of your analysis.