More PCAP Analysis Practice

It’s time to tackle another PCAP analysis exercise from Brad Duncan. I’ve only done a couple of these (I posted one of my write ups here), and would like to put myself in a more technical DFIR analyst mindset—completing more of these exercises seems like a great way to do that.

I previously attempted some of Duncan’s more complex exercises (such as this one) and found myself stumped. So, my plan is to get some more practice on the basic exercises before attempting the more advanced analyses.

The following write-up is based on the 2014-12-08 Traffic Analysis Exercise. Rather than answer each practice question one by one as I did in my first write-up, I’ve attempted to write something that resembles a real-world report and also addresses as many of the questions as possible.

Lastly, I did not check my answers before making this post – I thought it would be a little more fun that way. After I have a chance to review the answers, I may update this post (especially if my errors were egregious!)

So here we go!

Continue reading →

PCAP Analysis Practice

BLUF: I downloaded a PCAP from this exercise provided by @malware_traffic.  I’m a Wireshark and PCAP n00b, but wanted to see how far I could get with an analysis I’m not used to doing. I think I did pretty well (I was pleased I was able to get one of the Level 3 questions), but got hung up on identifying the exact infection chain and series of redirects.

Continue reading →