DFIR Monterey 2015 Survey

I completed most of the DFIR Monterey Challenge.  The only one that I didn't complete was the last question.  I've picked up a couple of books about Wireshark and Network Forensics for study.  I'm not well versed in any kind of digital forensics.  The only training that I've had in computer security is what I've learned via Google, pen testing/forensics challenges, reading, and Cyber Aces.  I have not taken any courses in digital forensics.  So, these answers could be wrong.

1. Difficulty: Easy
Evidence: SWT-syslog_messages
Question: At what time (UTC, including year) did the portscanning activity from IP address 123.150.207.231 start?

This was easy.  I opened the file using a text editor and used the Find function(CTRL-F on a windows machine). Then I just listed the first instance that was found.  I guessed that the year was 2013 because that is when the file was created.

Aug 29, 2013 09:58:55 gw

*

2. Difficulty: Easy
Evidence: nitroba.pcap
Question: What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?

I used Wireshark's Display Filter to search for the MAC Address 00:1f:f3:5a:77:9b, and all the IP's that it used were listed.

0.0.0.0

169.254.90.183

192.168.1.64

169.254.20.167

 

*

3. Difficulty: Medium
Evidence: ftp-example.pcap
Question: What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?

-rw-rw-r--    2 ftp      ftp      27888036 Jul 03  2011 scenery-backgrounds-6.0.0-1.el6.noarch.rpm

This one was about luck mostly.  I know that File Transfer Protocol(FTP) is used to transfer files.  So, I sorted the protocols so that FTP showed up at the top.  I noticed some behavior that seemed odd to me, notably that the Directory was changed a few times.  So, I right clicked on one of those lines, in Wireshark, and chose the "Follow TCP" selection in the window.  The TCP showed that the file that I was looking for was transferred.  So, I noted the Source IP, Destination IP, Source Port, and Destination Port of the machines doing that interaction.

Source IP Address: 149.20.20.135

Destination IP Address: 192.168.75.29

Source Port: 30472

Destination Port: 51851

*

4. Difficult: Medium
Evidence: nfcapd.201405230000 (requires nfdump v1.6.12. Note that nfcapd.201405230000.txt is the same data in nfdump’s “long” output format.)
Question: How many IP addresses attempted to connect to destination IP address 63.141.241.10 on the default SSH port?

First of all, I made a file that only contained the connections to the destination IP Address 63.141.241.10, then I weeded out the connections until I had the connections only on port 22, which is the default SSH port.  I took out the excess information, leaving only the IP Addresses.  Then I used the uniq command in Linux along with the -d switch for the repeated lines, and the -u switch for the unique lines.  I added the repeated connections and the unique connections to get my answer.  (The repeated switch only prints out each repeated connection example once.  So, if 169.72.0.0 connected more than once, it would only list that IP once.)

49 unique IP Addresses

*

5. Difficulty: Hard
Evidence: stark-20120403-full-smb_smb2.pcap
Question: What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”

I found this answer by using the File>Export Object>SMB Objects menu in Wireshark.  It showed a listing of files, and their sizes.

13,625 bytes

*

6. Difficulty: Very Hard
Evidence: snort.log.1340504390.pcap
Question: The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
Bonus Question: Identify the meaning of the bytes that precede the substring above.

Even though I didn't find the substring or offset, the use of ports 33333 and 44444 make me suspect that the malware could possibly be Prosiak.  That is the spelling that I had found when looking up the port numbers.  I'm not certain if it is correct.