Is there a way the person who did order #105535, can do this one as well?
Your task is to write a final Forensic Report that summarizes network forensics and the digital forensic tools and techniques for analyzing network incidents. This report will include your lab report from the previous step and should also be composed of network attack techniques, network attack vectors, and a comprehensive comparison of at least five tools used for analyzing network intrusions. This report will conclude with a recommendation for network administrators to meet the goals of hardening the infrastructure and protecting private data on the network.
Project 2: Nations Behaving Badly Step 15: Develop Final Forensic Report There are many digital forensic tools and techniques available to conduct an end-to-end forensic investigation. An end-to-end investigation tracks all elements of an attack, including how the attack began, what intermediate devices were used during the attack, and who was attacked. A typical investigation will involve visual analysis to statically review the contents of any drives, as well as dynamically review logs, artifacts (strategies for handling digital artifacts), and internet activity from the web history associated with the breached network (web browser forensics). The investigation concludes when the investigator examines all of the information, he or she correlates all of the events and all of the data from the various sources to get the whole picture, and prepares reports and evidence in a forensically sound manner. In this scenario, you know that there has been an attempted/successful intrusion on the network, and you have completed the packet capture analysis using Wireshark. Your task is to write a Final Forensic Report that summarizes network forensics and the digital forensic tools and techniques for analyzing network incidents. This report will include your lab report from the previous step and should also be composed of network attack techniques, network attack vectors, and a comprehensive comparison of at least five tools used for analyzing network intrusions. This report will conclude with a recommendation for network administrators to meet the goals of hardening the infrastructure and protecting private data on the network. 2 Group 1 – Team United States/Federal Government University of Maryland Global Campus CMP 670 9042 Capstone in Cybersecurity Professor Glebocki May 13, 2022 Introduction Cyberattacks are nothing but compromising the sensitive data of individuals or groups of organizations, searching for a weak network spot, and creating the entry to deploy malicious or curved packets in a network. Every organization's network & communication will play the primary role in its business. It connects all kinds of users, allowing employees and guest users to work more efficiently across the organization and get more productivity. Objective Equipment Used: Wireshark Row TCP traffic: Checksum verification: Checksum valid traffic: Checksum unverified traffic: 1. Was the webserver under an attack, and if so, what type(s)? Answer: No. HOST DISCOVERY ATTACK: Identifying adversaries trying to find alive systems on our network. Useful for: Detect various network discovery scans, ping sweeps ARP scanning Command: arp.dst.hw_mac==00:00:00:00:00:00 Total ARP Packets: 28, and request has been generated from multiple internal and external sources. No Unique (attacker) IP is trying to find the IP details with the help of the ARP sweep command. Result: Negative IP Protocol scan: Command: icmp.type==3 and icmp.code==2 IP protocol scanning is a technique allowing an attacker to discover which network protocols are supported by the target operating system Result: Negative ICMP ping sweeps: Command: ICMP.type==8 or ICMP.type==0 This valuable filter is for filtering ICMP echo requests (8) or ICMP echo replies (0). If multiple requests or packets in a short period target multiple IP addresses and different subnets, we are probably witnessing an ICMP ping sweep attack. The attacker was trying to identify all live IP addresses on our network. Result: Negative TCP ping sweeps Command: tcp.dstport==7 TCP ping sweeps use port 7 (echo). A higher traffic volume pointed to many different IP addresses, which means somebody is running TCP ping sweeping to find alive hosts on the network. Result: Negative UDP ping sweeps Command: UDP.dstport==7 UDP ping sweeps utilize port 7. The high traffic volume destined to many different IP addresses means the attacker is probably performing UDP ping sweeping attack to find alive hosts on the network. Result: Negative Final Result: No attack happened. 1. Was the attack(s) successful in any way (if any)? Answer: No attack was performed as per Wireshark capture analysis. (Please refer to the 1 Q) 1. What can next steps be recommended for further investigation? Answer: There are multiple investigation methods to determine if the attack is happening or happened. In that, I am using TCP SYN/STEALTH SCAN. Network port scanning: Identifying various network-based port scans. TCP SYN scan: Command: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size<=1024 syn="" flag="" set="" ack="" flag="" not="" set="" window="" size=""><= 1024="" bytes="" the="" first="" step="" in="" the="" tcp="" 3-way="" handshake="" is="" a="" minimal="" tcp="" window="" size.="" in="" particular,="" the="" small="" window="" size="" is="" the="" characteristic="" parameter="" used="" by="" tools="" such="" as="" nmap="" during="" syn="" scans.="" in="" case="" of="" more="" traffic="" of="" this="" kind="" in="" a="" short="" time,="" the="" attacker="" is="" trying="" to="" perform="" a="" scanning="" method.="" ·="" syn="" scans="" inside="" the="" network="" ·="" syn="" port="" sweeps="" across="" the="" network="" ·="" syn="" floods="" (denial="" of="" service="" technique)="" final="" result:="" negative;="" no="" port="" scanning="" is="" happening.="" 1.="" what="" is="" the="" name="" of="" the="" resource="" requested="" in="" the="" get="" request?="" answer:="" the="" user="" is="" trying="" to="" access="" the="" http://127.0.0.1:35/wordpress/wp-content/upload/="" furthermore,="" try="" to="" access="" favicon.ico,="" but="" the="" web="" page="" is="" not="" available="" on="" the="" server="" as="" per="" the="" response="" code.="" 1.="" what="" is="" the="" server's="" http="" response="" code,="" and="" what="" is="" the="" ip="" of="" the="" requesting="" computer?="" answer:="" response="" version:="" http/1.1="="> Here server also in HTTP version 1.1 Status Code: 200 ==> Status code sent by server. Response Phrase: OK ==> Response phrase sent by server. Server: Apache/2.4.18 (UBUNTU) 200 OK, which means the request [HTTP GET] has succeeded. 1. What is the user-agent string for this request? Answer: 1. What HTTP response code is returned for each abnormal request, and what URL is attempted to be used as part of one of the web attacks? Answer: URL is favicon.ico http://192.168.10.111/ favicon.ico POST: Source 192.168.10.111 to 192.168.10.112 data is successfully uploaded (GIF files). GET: requested details about favicon.ico, but not found. 1. What did you find particularly useful about this lab (be specific)? What value does this bring to your professional career? Answer: In this lab, we performed a deep analysis of captured traffic, ran the diagnosis, and found out, did below mentioned few in many attacks happened or not. ARP, TCP, UDP, ICMP, and TCP Packet flow scanning and sweeping The final result was that except for HTTP, all scan results were negative, and no attack happened. In HTTP, with the help of available resources, it is not considered an attack. It might be because the web page is not available on the Apache webserver. 1. If malicious actors got into your network with reading/write access to your network security logs, how could they use that information? Answer: In case the attacker got network logs to file with full access, With the help of a log file, the attacker can able to extract multiple network information like, Network protocol version, Active Port and open ports, Source and destination IP address, Network subnet details, and what kind of Platform and devices are running in the network. In advanced mode, the attacker can extract HTTP web information like client and Server versions (PUSH, GET), and with the help of a log file, he can rebuild the webpage again. 1. An Intrusion prevention system can either wait unit it has all the information it needs or can allow packets through based on statistics (guessed or previously known facts). What are the advantages and disadvantages of each approach? Answer: IPS will act based on the signatures and policies implemented by the Security person. As per the captured packet analysis, IPS will detect if any port scanning and sweeping attacks happen as well as any abnormalities in HTTP traffic flow. The traffic will be quarantined for SANDBOX or denied. Advantages: Malicious traffic will be blocked at the initial stage; Next-generation firewalls will perform analysis based on the history or behavior pattern of the traffic. If traffic falls under the malicious category, then the packets will go through strict Intrusion rules. If a packet passes or is allowed, traffic will reach the destination or server; otherwise discarded at the same time or sent to the sandbox for quarantine. 1. Provide examples of IP addresses, hostnames, and mac addresses based on your analysis. Pace files in Wireshark. Answer: IP Address: Source: 192.168.10.101 Destination: 192.168.10.111 Source: 192.168.10.111 Destination: 192.168.10.101 and 192.168.10.112 Hostname: We are not using any domain services here, so Netbios services are not running. Due to that, the Hostname is not getting in Wireshark packets. VMware Mac: Source: 00:0c:29:a6:eb:16 Destination: 00:0c:29:9a:be:c1