Please follow the instructions below

Part I: Forensic Analysis and Recovery

Most files have extensions that can be easily opened by corresponding applications. For example, MS Word can open .docx files, and most image applications can open .jpg or .png files. For deleted files or damaged files, the file structure (headers) may be removed or missing. In most cases, those files can still be recovered using forensic tools. Follow the instructions below to recover all damaged files. (Hint: you may need to know the signature of common file types.)

Download the file from the website http://pneumann.com/sec_labs/file00.zip.

Unzip and store on a USB drive.

Examine all files. You will find that seven files end with .$$$ as file extension, which cannot be opened by any applications. One JPG file is showing a picture, but no textual information can be seen directly.

We know that all eight files contain information that needs to be recovered.

Your task is to recover the information contained in the files. Retrieving the information from the JPG file could be particularly difficult and require extra steps.

Part 2: Live Acquisition

Live acquisitions are especially useful when you are dealing with active network intrusions and attacks, or if you suspect employees are accessing network areas they shouldnt. Live acquisitions before taking a system offline are also becoming a necessity because attacks might leave footprints only in running processes or RAM. Some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system.

For Part 2 of the final project, you will use Wireshark in a real-time environment to inspect packet captures. Download and install Wireshark on your computer (https://www.wireshark.org/download.html) and finish the initial setting (select the network card(s) to capture). Follow these steps:

Start Wireshark, select Interfaces (network card you are using).

Download this file: http://pneumann.com/sec_labs/url-spec.txt (using any browser).

Add the url-spec.txt file to the upload page http://pneumann.com/sec_labs/upload/ but do NOT click the Start button.

Switch to Wireshark and start Capture packets.

Switch to the upload page and click the Start (uploading) button.

Switch to Wireshark and click Stop capture packets.

Filter the TCP traffic and find the following information from the packets you captured:

A complete URL consists of a naming scheme specifier followed by a string whose format is a function of the naming scheme. For locators of information on the Internet, a common syntax is used for the IP address part. A BNF description of the URL syntax is given in an a later section. The components are as follows. Fragment identifiers and partial URLs are not involved in the basic URL definition.

Note: The information may be embedded in more than one packet.

Take screenshots of the packets that contains the above paragraph.

Browse to a TCP frame, right-click the frame and click Follow TCP Stream. This is how hackers rebuild a session (for later launching a reply attack).

Take a screenshot of the follow TCP stream screen.

Exit Wireshark.

When you finish the above activities, write a report to include the following:

The steps you conducted for forensic analysis in Part 1

Screenshots of the USB disk image size and file format

List of all information you recovered from the eight files in Part 1

Screenshots of packets that contain the paragraph (in Part 2, Step 4)

Screenshot of the follow TCP stream

Live acquisition may affect RAM and running processes, which also means data on the hard drives may be affected. What precautions should you follow before conducting live acquisition?

Using Wireshark to capture live network traffic is similar to wiretapping. Is there any concern for privacy? Do you need a court order for conducting such captures?

Please follow the instructions below

Part I: Forensic Analysis and Recovery

Most files have extensions that can be easily opened by corresponding applications. For example, MS Word can open .docx files, and most image applications can open .jpg or .png files. For deleted files or damaged files, the file structure (headers) may be removed or missing. In most cases, those files can still be recovered using forensic tools. Follow the instructions below to recover all damaged files. (Hint: you may need to know the signature of common file types.)

Download the file from the website http://pneumann.com/sec_labs/file00.zip.

Unzip and store on a USB drive.

Examine all files. You will find that seven files end with .$$$ as file extension, which cannot be opened by any applications. One JPG file is showing a picture, but no textual information can be seen directly.

We know that all eight files contain information that needs to be recovered.

Your task is to recover the information contained in the files. Retrieving the information from the JPG file could be particularly difficult and require extra steps.

Part 2: Live Acquisition

Live acquisitions are especially useful when you are dealing with active network intrusions and attacks, or if you suspect employees are accessing network areas they shouldnt. Live acquisitions before taking a system offline are also becoming a necessity because attacks might leave footprints only in running processes or RAM. Some malware disappears after a system is restarted. In addition, information in RAM is lost after you turn off a suspect system.

For Part 2 of the final project, you will use Wireshark in a real-time environment to inspect packet captures. Download and install Wireshark on your computer (https://www.wireshark.org/download.html) and finish the initial setting (select the network card(s) to capture). Follow these steps:

Start Wireshark, select Interfaces (network card you are using).

Download this file: http://pneumann.com/sec_labs/url-spec.txt (using any browser).

Add the url-spec.txt file to the upload page http://pneumann.com/sec_labs/upload/ but do NOT click the Start button.

Switch to Wireshark and start Capture packets.

Switch to the upload page and click the Start (uploading) button.

Switch to Wireshark and click Stop capture packets.

Filter the TCP traffic and find the following information from the packets you captured:

A complete URL consists of a naming scheme specifier followed by a string whose format is a function of the naming scheme. For locators of information on the Internet, a common syntax is used for the IP address part. A BNF description of the URL syntax is given in an a later section. The components are as follows. Fragment identifiers and partial URLs are not involved in the basic URL definition.

Note: The information may be embedded in more than one packet.

Take screenshots of the packets that contains the above paragraph.

Browse to a TCP frame, right-click the frame and click Follow TCP Stream. This is how hackers rebuild a session (for later launching a reply attack).

Take a screenshot of the follow TCP stream screen.

Exit Wireshark.

When you finish the above activities, write a report to include the following:

The steps you conducted for forensic analysis in Part 1

Screenshots of the USB disk image size and file format

List of all information you recovered from the eight files in Part 1

Screenshots of packets that contain the paragraph (in Part 2, Step 4)

Screenshot of the follow TCP stream

Live acquisition may affect RAM and running processes, which also means data on the hard drives may be affected. What precautions should you follow before conducting live acquisition?

Using Wireshark to capture live network traffic is similar to wiretapping. Is there any concern for privacy? Do you need a court order for conducting such captures?

+ Add files