Case Study : Ann Tunnels Underground

1238 Words Feb 22nd, 2016 5 Pages
Case Study 11.5: Ann Tunnels Underground
The goal of this case study is to follow a packet capture file to investigate the fictitious character Ann Dercover. Examining the file will show how she uses network tunneling to cover her tracks, but more importantly, it will help develop skills that can be applied to network forensics. The challenge is to determine if the DNS traffic is truly suspicious, determine the purpose of the DNS traffic, recover all possible information on the local and remote systems involved, and the risk associated with the data leaking from the organization. A good place to begin with any examination is with the statistical and metadata information that can be uncovered within the packet capture. Using Wireshark Protocol Hierarchy Statistics, we can see that the traffic consists mainly of DNS datagrams (figure 1). Figure 1 Wireshark Protocol Hierarchy Statistics of Evidence File This shows that there were 384 DNS datagrams sent in a very short time. Looking at capinfos, shows that the packet capture only lasted 22 seconds and it started on November 27 2010 at 23:39:45 (figure 2). Figure 2 Capifos of Evidence File Furthermore, by applying a display filter in Wireshark to examine 192.168.1.30, a device on the internal network, we can see that 192 DNS packets originated from this device (figure 3). Figure 3 Wireshark Protocol Hierarchy Statistics Using Display Filter for IP of Interest This is corroborated by examining the Wireshark view of…
Open Document