Please follow the instructions below Part I: Forensic Analysis and Recovery Most
ID: 3751323 • Letter: P
Question
Please follow the instructions below
Part I: Forensic Analysis and Recovery
Most files have extensions that can be easily opened by corresponding applications. For example, MS Word can open .docx files, and most image applications can open .jpg or .png files. For deleted files or damaged files, the file structure (headers) may be removed or missing. In most cases, those files can still be recovered using forensic tools. Follow the instructions below to recover all damaged files. (Hint: you may need to know the signature of common file types.)
Download the file from the website http://pneumann.com/sec_labs/file00.zip.
Unzip and store on a USB drive.
Examine all files. You will find that seven files end with .$$$ as file extension, which cannot be opened by any applications. One JPG file is showing a picture, but no textual information can be seen directly.
We know that all eight files contain information that needs to be recovered.
Your task is to recover the information contained in the files. Retrieving the information from the JPG file could be particularly difficult and require extra steps.
Part 2: Live Acquisition
Live acquisitions are especially useful when you are dealing with active network intrusions and attacks, or if you suspect employees are accessing network areas they shouldn’t. Live acquisitions before taking a system offline are also becoming a necessity because attacks might leave footprints only in running processes or RAM. Some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system.
For Part 2 of the final project, you will use Wireshark in a real-time environment to inspect packet captures. Download and install Wireshark on your computer (https://www.wireshark.org/download.html) and finish the initial setting (select the network card(s) to capture). Follow these steps:
Start Wireshark, select Interfaces (network card you are using).
Download this file: http://pneumann.com/sec_labs/url-spec.txt (using any browser).
Filter the TCP traffic and find the following information from the packets you captured:
“A complete URL consists of a naming scheme specifier followed by a string whose format is a function of the naming scheme. For locators of information on the Internet, a common syntax is used for the IP address part. A BNF description of the URL syntax is given in an a later section. The components are as follows. Fragment identifiers and partial URLs are not involved in the basic URL definition.”
Note: The information may be embedded in more than one packet.
Take screenshots of the packets that contains the above paragraph.
Browse to a TCP frame, right-click the frame and click Follow TCP Stream. This is how hackers rebuild a session (for later launching a reply attack).
Take a screenshot of the follow TCP stream screen.
Exit Wireshark.
When you finish the above activities, write a report to include the following:
The steps you conducted for forensic analysis in Part 1
Screenshots of the USB disk image size and file format
List of all information you recovered from the eight files in Part 1
Screenshots of packets that contain the paragraph (in Part 2, Step 4)
Screenshot of the follow TCP stream
Live acquisition may affect RAM and running processes, which also means data on the hard drives may be affected. What precautions should you follow before conducting live acquisition?
Using Wireshark to capture live network traffic is similar to wiretapping. Is there any concern for privacy? Do you need a court order for conducting such captures?
+ Add filesExplanation / Answer
Information recuperation: broadening your window of chance
At the point when an information rupture occasion happens, your organization just has a short window of time to assemble basic proof. Inner IT assets are frequently compelled to go about as a first line of guard — however specialists on call who are untrained in information recuperation and measurable investigation now and then accomplish more mischief than anything, harming basic information or coincidentally misusing essential confirmation.
The specialists at Kroll have unparalleled experience utilizing measurable programming and conventions to perform information accumulation and information safeguarding in the wake of a break. We handle confirm with demonstrated, forensically solid technique, utilizing information recuperation instruments and procedures that are bolstered by case law.
We'll apply scientific science to your innovation — from servers to PCs and cell phones — and examine your physical frameworks and staff, finding genuine solutions to your inquiries and setting up whether information was endangered and to what degree.
Scientific Analysis with an eye on what's to come
Our colleagues are Certified Information Privacy Professionals (CIPP) and knowledgeable in the most specific information recuperation instruments and procedures. We generally utilize forensically exact procedures, including suitable chain of authority and documentation. We comprehend case law with respect to the precision and unwavering quality of advanced apparatuses. We'll apply best in class innovation to your criminological examination, yet we additionally have the experience to precisely translate discoveries, transforming information focuses into a reasonable story and course of events that can be displayed in court.
With Kroll, you can rest guaranteed that your people on call are thinking past the prompt emergency towards an improved security act for your organization. We'll work with your advice on criminological investigation that abandons you in the most grounded conceivable position; we'll additionally leave your organization secured and better arranged to oversee future episodes.