Lab 10
pdf
keyboard_arrow_up
School
American Public University *
*We aren’t endorsed by this school
Course
422
Subject
Information Systems
Date
Feb 20, 2024
Type
Pages
11
Uploaded by PresidentRiverWasp4
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Student:
Email:
Steven Engelken
steven.engelken@mycampus.apus.edu
Time on Task:
Progress:
2 hours, 12 minutes
100%
Report Generated:
Monday, January 22, 2024 at 1:00 AM
Section 1: Hands-On Demonstration
Part 1: Analyze a PCAP File for Forensic Evidence
10.
Make a screen capture
showing the Time Graph
.
Page 1 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
16.
Make a screen capture
showing the details of the 2021-Jul-13 15:33:00 session
.
Part 2: Analyze a Disk Image for Forensic Evidence
6.
Make a screen capture
showing the email message containing FTP credentials and the
associated timestamps
.
Part 3: Prepare an Incident Response Report
Page 2 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Date
Insert current date here.
01/21/2024
Name
Insert your name here.
Steven Engelken
Incident Priority
Define this incident as High, Medium, Low, or Other.
High
Incident Type
Include all that apply: Compromised System, Compromised User Credentials, Network Attack (e.g.,
DoS), Malware (e.g. virus, worm, trojan), Reconnaissance (e.g. scanning, sniffing), Lost
Equipment/Theft, Physical Break-in, Social Engineering, Law Enforcement Request, Policy Violation,
Unknown/Other.
Compromised System, Reconnaissance, Policy Violation
Incident Timeline
Define the following: Date and time when the incident was discovered, Date and time when the
incident was reported, and Date and time when the incident occurred, as well as any other relevant
timeline details.
Date and time when the incident was discovered: 2024-01-22 20:20:00 PST
Date and time when the incident was reported: 2024-01-22 20:40:00 PST
Date and time when the incident occurred: 2021-07-01 16:05:00 MDT
Page 3 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Incident Scope
Define the following: Estimated quantity of systems affected, estimated quantity of users affected, third
parties involved or affected, as well as any other relevant scoping information.
Estimated quantity of systems affected: 4
Estimated quantity of users affected: 1
Third parties involved or affected (e.g., vendors, contractors, partners): 0
Additional Information: Mr. Johnson was working with Dr. Evil and released IP addresses as well as
account access to an FTP secured network in order to steal company information.
Systems Affected by the Incident
Define the following: Attack sources (e.g., IP address, port), attack destinations (e.g., IP address,
port), IP addresses of the affected systems, primary functions of the affected systems (e.g., web
server, domain controller).
Attack sources (e.g., IP address, port): IP address: 157.165.0.25
Attack destinations (e.g., IP address, port): IP address: 172.31.0.20, 172.31.0.1, 172.30.0.2,
172.40.0.1
IP addresses of the affected systems: 172.31.0.20, 172.31.0.1, 172.30.0.2, 172.40.0.1
Primary functions of the affected systems (e.g., web server, domain controller): domain controller
Users Affected by the Incident
Define the following: Names and job titles of the affected users.
Names and job titles of the affected users: Marvin Johnson-Project Manager
Page 4 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Section 2: Applied Learning
Part 1: Identify Additional Email Evidence
5.
Make a screen capture
showing the email from Dr. Evil demanding that
Marvin install a
keylogger
.
Page 5 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
6.
Make a screen capture
showing the email from Dr. Evil reminding Marvin to update the
firewall and scheduler
.
Part 2: Identify Evidence of Spyware
12.
Make a screen capture
showing the three events that are related to the Actual Keylogger
file in the /Windows/System32/Tasks folder with a June 30 timestamp
.
Page 6 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
15.
Make a screen capture
showing the one event that is related to the Actual Keylogger file
in the /Windows/System32/Tasks folder with a July 1 timestamp
.
20.
Record
the date and time that the keylogger’s executable file was created.
2021-06-30 15:00:13
22.
Record
the date and time when the keylogger’s executable file was last started.
2021-07-01 15:54:39
23.
Record
whether you think you have evidence to claim that Marvin opened the keylogger.
I cannot say definitively if he does or not.
Part 3: Update an Incident Response Report
Page 7 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Date
Insert current date here.
01/21/2024
Name
Insert your name here.
Unchanged
Incident Priority
Has the incident priority changed? If so, define the new priority. Otherwise, state that it is unchanged.
Unchanged
Incident Type
Has the incident type changed? If so, define any new incident type categories that apply. Otherwise,
state that it is unchanged.
Unchanged
Incident Timeline
Has the incident timeline changed? If so, define any new events or revisions in the timeline.
Otherwise, state that it is unchanged.
Incident began sooner than initially occurred, actual date 2021-06-30.
Incident Scope
Has the incident scope changed? If so, define any new scoping information. Otherwise, state that it is
unchanged.
Quantity of users affected: Updated to number of employees working in the secured network.
Dr. Evil insisted for Mr. Johnson to install a keylogger onto the system to track inputs put by other
members of the team. This gave Dr. Evil access to more information inputted as well as information
needed to access necessary files.
Systems Affected by the Incident
Has the list of systems affected changed? If so, define any new systems or new information.
Otherwise, state that it is unchanged.
Unchanged
Page 8 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Users Affected by the Incident
Has the list of users affected changed? If so, define any new users or new information. Otherwise,
state that it is unchanged.
Unchanged
Page 9 of 11
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Section 3: Challenge and Analysis
Part 1: Identify Additional Evidence of Data Exfiltration
Make a screen capture
showing an exfiltrated file in Marvin's Outlook database
.
Part 2: Identify Additional Evidence of Spyware
Page 10 of 11
Performing Incident Response and Forensic Analysis (4e)
Fundamentals of Information Systems Security, Fourth Edition - Lab 10
Make a screen capture
showing the email with instructions for installing additional spyware
.
Document
the red flags in the email that indicate that it may be a phishing attempt.
Indications of possible phishing attempts is the sender email has a number included with "secu1ty"
which is a subtle change to create a believable email. As well as attempting to install software onto
secure network, where security should have remote access to update. Threatening manner of
approach.
Powered by TCPDF (www.tcpdf.org)
Page 11 of 11