Part A: NetFlow traffic Import the VM Caine in your Virtual Box environment and read the section 2.4 and 2.7 in the file ENISA_Network_Incident_Response.pdf to understand how to analyze NetFlow...

Part A: NetFlow traffic
Import the VM Caine in your Virtual Box environment and read the section 2.4 and 2.7 in the file
ENISA_Network_Incident_Response.pdf to understand how to analyze NetFlow traffic. The
dumped network traffic is in the folder nfdump in your home.
1. Name 4 fields that can be found in a NetFlow packet.
2. The system ws1.example.com XXXXXXXXXXwas compromised on August 16th, 2016.
Move to your home and execute the command below to get an overview (aggregate) by
protocol. Capture a screenshot.
nfdump -o long -R nfdump -A proto 'ip XXXXXXXXXX'
3. What the command above would look like to sort by number of packets in reverse order?
4. Capture a screenshot of the communication (not aggregated) from/to ws1.example.com
with the highest number of packets.
5. Capture a screenshot of the TCP communications from the compromised system to the
local network as destination, aggregated by source/destination IP.
6. Similarly, obtain the 5 most consuming TCP communications in terms of bytes with
external IPs.
7. The top IP address from the previous question is very suspicious, because it ranks in
amount of information (1.5 Gb in 1.1M packets) and it is located in a foreign country. What
country? Prove it.
8. Dump all communications from the compromised endpoint to this suspicious IP, filtering
y the date of the compromise. When this endpoint started communicating on this day?
Part B: Traffic analysis with Wireshark
Open Wireshark in the Caine VM and import the file angrypoutine.pcap found in your home. It
contains network traffic related to malware in the network XXXXXXXXXX/24, in which the domain
controller ANGRYPOUTINE-DC XXXXXXXXXXis found.
Answer all questions below and provide a screenshot of your findings to prove your answer.
Tutorials: https:
www.malware-traffic-analysis.net/tutorials/index.html
9. What is the IP address leased to the DHCP client?
10. What is its hostname?
11. Use the filter to visualize only packets originated from this endpoint?
12. Now focus on the first communication with an external IP. What the destination IP and port
are?
13. Filter all traffic from/to this external IP and capture the first packet after the 3-way
handshake. The packet’s payload will contain a domain belonging to Microsoft Azure.
Make sure it is shown in your screenshot.
14. The URL above does not seem suspicious. Clear the filter and visualize only HTTP packets.
Then, move to the next external IP (after the one you already analyzed). This traffic is
indeed suspicious. Why?
https:
www.malware-traffic-analysis.net/tutorials/index.html
15. The response from the external server (HTTP code 200) contains the resource downloaded
y the endpoint. It can be found in the center panel by clicking on “Media Type”. What
kind of file seems to have been downloaded? Is this suspicious? Why or why not?
16. All other communications in this filter seem legit. Write down the packet number (first
column), then clear the filter and start over with another filter to see all outbound
communications by HTTPS from the endpoint. What the filter would be?
17. Scroll down to the first packet after the one you wrote down. Make sure your screenshot
includes the packet number and source/destination IP/port.
18. Why you cannot analyze beyond the TCP header?
Part C: Analyzing a suspicious message
Consider the message and its header below:
Return-Path: < XXXXXXXXXX>
Delivered-To: XXXXXXXXXX
Received: from dovdir4-asa-02o.email.Kiddikatz ([ XXXXXXXXXX])
y dovback4-asa-02o.email.Kiddikatz with LMTP
id iI0bBuH+k1/kcgAA1Vbeiw
(envelope-from < XXXXXXXXXX>)
for ; Sat, 24 Oct XXXXXXXXXX:16: XXXXXXXXXX
Received: from dovpxy-asc-13o.email.Kiddikatz ([ XXXXXXXXXX])
y dovdir4-asa-02o.email.Kiddikatz with LMTP
id uKDkA+H+k1/wLgAApBwMGg
(envelope-from < XXXXXXXXXX>)
for ; Sat, 24 Oct XXXXXXXXXX:16: XXXXXXXXXX
Received: from reszmta-po-01v.sys.Kiddikatz ([ XXXXXXXXXX])
y dovpxy-asc-13o.email.Kiddikatz with LMTP
id 8EcmAeH+k1/DXgAAKsibjw
(envelope-from < XXXXXXXXXX>)
for ; Sat, 24 Oct XXXXXXXXXX:16: XXXXXXXXXX
Received: from resimta-po-21v.sys.Kiddikatz ([ XXXXXXXXXX])
y reszmta-po-03v.sys.Kiddikatz with ESMTP
id WGadkLSgbxSFOWGaekA6i1; Sat, 24 Oct XXXXXXXXXX:16: XXXXXXXXXX
Received: from yogarafi.de ([ XXXXXXXXXX])
y resimta-po-21v.sys.Kiddikatz with ESMTP
id WGabkOpIji6AfWGadk3Lzc; Sat, 24 Oct XXXXXXXXXX:16: XXXXXXXXXX
X-CAA-SPAM: F00001
X-Meowkatz-VAAS: NOTE: Verification and Authentication Agents ( VAAs).
ggruggvucftvghtrhhoucdtuddrgedujedrkedvgddvjecutefuodetggdotefrodftvfcurfhrohhfihhlvgem
u
cevohhmtggrshhtqdftvghsihenuceurghilhhouhhtmecufedtudenucgoufhushhpvggtthffohhmrghin
h
culdegledmnegorfhhihhshhhinhhgqdetgeduhedqtdelucdlfedttddmnecujfgurhephffvufffkfggtgfgs
ehhqhe
ftddttddtnecuhfhrohhmpedftghomhgtrghsthdrnhgvthcuuffgtfgggfftucetfffokffpfdeotghprghnvg
hlshgvrh
hvvghrsegtphgrnhgvlhdrnhgvtheqnecuggftrfgrthhtvghrnhepjeeijefgjeekgffhudejiefffeettdehhedt
kefhud
efudfhhfefjeelfeejteejnecuffhomhgrihhnpehgohgurgguugihrdgtohhmpdhgohhoghhlvggrphhishd
tghom
henucfkphepudeggedrjeeirdejvddrudeliedpudektddrvddugedrvdefledrudegnecuvehluhhsthgvrh
fuihiivg
eptdenucf
gh
ghmpehhvghlohephihoghg
hgrfhhirdguvgdpihhnvghtpedugeegrdejiedrjedvrdd
uleeipdh
mrghilhhfrhhomheptghprghnvghlshgvrhhv
X-Meowkatz-VMeta: sc=349.00;st=phishing
X-Meowkatz-Message-Heuristics: IPv6:N;TLS=1;SPF=2;DMARC=F
Received: by yogarafi.de (Postfix, from userid 1001)
id 3A3D514C1A97; Sat, 24 Oct XXXXXXXXXX:26: XXXXXXXXXXCEST)
Received: from cpanel.net (unknown [ XXXXXXXXXX])
y yogarafi.de (Postfix) with ESMTPA id 2E88C14C1A7E
for ; Sat, 24 Oct XXXXXXXXXX:26: XXXXXXXXXXCEST)
From: “Kiddikatz SERVER ADMIN”< XXXXXXXXXX>
To: Roxy@Kiddikatz
Subject: Email service expiration and deactivation Notification worning Roxy@Kiddikatz
Date: 24 Oct XXXXXXXXXX:26: XXXXXXXXXX
Message-ID: < XXXXXXXXXX>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
You will need the following tools:
• Email header analyzer: https:
mxtoolbox.com/EmailHeaders.aspx
• Blocklist check: https:
mxtoolbox.com
lacklists.aspx
• IP geolocation: https:
www.iplocation.net/ip-lookup
1. List two ways to identify this email as legitimate.
2. List two ways to identify this email as suspicious.
3. Copy the header and paste it in the provided link for further analysis. Capture a screenshot.
https:
mxtoolbox.com/EmailHeaders.aspx
https:
mxtoolbox.com
lacklists.aspx

4. What suspicious thing would you observe once you see the details?
5. Are you able to retrieve any blocklist IP address? Check if your server is blocklisted.
Capture the screenshots.
6. What is the country of the IP address that you found blocklisted?

Forensic analysis

www.enisa.europa.eu XXXXXXXXXXEuropean Union Agency For Network And Information Security
Forensic analysis
Local Incident Response
Toolset, Document for students
1.0
DECEMBER 2016
http:
www.enisa.europa.eu
Forensic analysis
XXXXXXXXXX0 | December 2016

02
About ENISA
The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in information
security. It assists EU member states in implementing relevant EU legislation and works to improve the
esilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing
expertise in EU member states by supporting the development of cross-border communities committed to
improving network and information security throughout the EU. More information about ENISA and its
work can be found at www.enisa.europa.eu.
Contact
For contacting the authors please use XXXXXXXXXX.
For media enquires about this paper, please use XXXXXXXXXX.
Legal notice
Notice must be taken that this publication represents the views and interpretations of ENISA, unless
stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA
odies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free of charge. Neither
ENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.

Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2016
Reproduction is authorised provided the source is acknowledged.

https:
www.enisa.europa.eu
mailto: XXXXXXXXXX
mailto: XXXXXXXXXX.
Forensic analysis
XXXXXXXXXX0 | December 2016

03
Table of Contents
1. Forward 4
2. Story that triggers incident handling and investigation processes. 5
3. Environment preparation 6
4. Memory analysis 9
Checking memory dump file 9
Scanning memory with Yara rules 10
Analysis of the process list 13
Network artefacts analysis 14
5. Disk analysis 16
Mounting Windows partition and creating timeline 16
Antivirus scan 25
Filesystem analysis 26
Application logs analysis 30
Decompiling Python executable 38
Prefetch analysis 41
System logs analysis 44
6. Registry analysis 48
Copying and viewing registry 48
Inspecting registry timeline 50
UserAssist 51
List of installed applications 52
7. Building the timeline 55
Forensic analysis
XXXXXXXXXX0 | December 2016

04
1. Forward
This three-day training module will follow the tracks of an incident handler and investigator, teaching best
practices and covering both sides of the
each. It is technical in nature and has the aim to provide a
guided training for both incident handlers and investigators while providing lifelike conditions. Training
material mainly uses open source and free tools.
Forensic analysis
XXXXXXXXXX0 | December 2016

05
2. Story that triggers incident handling and investigation processes.
The customer’s organization has found out that some of its sensitive data has been detected in online text
sharing application. Due to the legal obligations and for business continuity purposes CSIRT team has been
tasked to conduct an incident response and incident investigation to mitigate the threats.
Breach contains sensitive data and includes a threat notice that in a short while more data will follow. As
the
each leads to specific employee’s computer then CSIRT team, tasked to investigate the incident,
follows the leads.
Below is presented a simplified overview of the training technical setup.
Workstation 1
Workstation/Phone 2
Compromised web-server (command and
control server function)
Compromised web-server (payload)

networkforensicanalyse-5s0eiouu.pdf exe1forensicanalysis-i-toolset-wkbvmbrm-35g41f1d.pdf