Tools needed:

We will have a limited amount of USB bootable drives for people to use.  These will include SAN SIFT. If you want to download prior, feel free to use the following link https://digital-forensics.sans.org/community/downloads .  The following tools below are what will be used and can easily be install on most Operating systems. We recommend having a virtualized or separate environment when handling PCAPs that contain malware.

 

WireShark (https://www.wireshark.org/download.html)

NetworkMinner (http://www.netresec.com/?page=NetworkMiner) installed via mono on Linux (http://www.netresec.com/?page=Blog&month=2014-02&post=HowTo-install-NetworkMiner-in-Ubuntu-Fedora-and-Arch-Linux)

Strings (linux command)

File (linux command)

 

Morning Agenda:

Morning agenda will be going over a brief overview on how network protocols work and what information you can get from them.  After that we will do a quick pcap example. Below are bullet points for each topic and will have about 3-4 slides each. Total presentation will be about an hour.

 

Explain IP and TCP.

Explain how Protocols work.

Explain Common TCP/UDP sockets.

Explain how to pull information off specific protocols.

Explain WireShark.

Explain Network Miner.

Forensics off a PCAP.

 

Afternoon agenda:

You received an IDS alert stating a person download a potential Exploit Kit (Malware). Log into the Network Security Monitor and download a PCAP to analyze. You will need to provide the following.

 

HostName of the computer that was infected.

IP address of the computer that was infected.

Network Shares the computer accessed after it was infected.

IP address of server providing the malware.

DNS name of server providing the malware.

File extension of malware.

Show proof this file is malware.

 

Login credentials will be provide for the NSM. Do not attack or alter the NSM, doing so will disqualify you from this event. If NSM is not working a PCAP will be provided instead.