Index of /hacklu

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.txt2016-10-19 12:06 2.9K 
[   ]dev01.E012016-08-19 17:15 1.5G 
[   ]dev01.E022016-08-19 20:18 1.5G 
[   ]dev01.E032016-08-19 23:17 1.5G 
[   ]dev01.E042016-08-20 02:17 1.5G 
[   ]dev01.E052016-08-20 05:20 1.5G 
[   ]dev01.E062016-08-20 05:37 144M 
[   ]dev01.mem.aff2016-08-19 14:16 646M 
[TXT]dev01.txt2016-09-26 14:16 1.1K 
[   ]ls16.pcap2016-08-12 12:19 1.9G 
[TXT]md5.txt2016-09-26 14:33 400  

This forensic evidence is kindly provided by the CCDCOE - NATO Cooperative Cyber Defence Centre of Excellence -
It was specifically built for the Locked Shields Cyber Exercise in 2016.
Permission is granted to use this material, as long as CCDCOE is referenced as author of this material.

The slides are available here:

Attention! The RRT (Rapid Reaction Team) is requested to perform a digital forensics investigation 
to prove that the recent defacement of the Revalian government web server was not performed by Berylia. 
At approximately 11:15 A.M. on 04 April 2016 was defaced. 
Revalia's web server logs show that the attack came from an IP address used by the Berylian Armed Forced Drone Control Facility. 
They are now threatening to declare war against Berylia if it cannot prove it was not responsible! 
Your team is tasked with performing an investigation on machines within the subnet of the facility that is linked to the attack.

We already identified the affected machine and have taken a diskimage and memory dump.

OS: Windows 10 (32bit) 
User: Sheldon Jobs
Username: coderunner, password: LS16Sheldon
E-Mail:, password: LS16M@il, password: LS16M@il
IP:	dev01

The memory dump was taken with winpmem:  winpmem_2.1.post1.exe  -o s:\forensics\evidence\dev01.mem.aff

The disk image was taken with FTK Imager Lite v 3.1.1.

Please analyse the evidence in the various domains and write a report. 
- Identify the malicious traffic to the Revalia website and confirm that our system is indeed causing this.
- Confirm infection (disk, ram, network) of the system, start + end. 
- Keep track of the IOCs (indicators of compromise)
- Identify further what other actions might have been done under control of the attacker
- Write a report discussing what was found: General summary, a detailed timeline covering the various forensic domains and then the reports per forensic domain (network, system, memory, malware)

Hint: Correlate network traffic with system timeline to find more pivot points. 
Hint: Maybe the Revalia government website defacement was not the most important thing that happened on this system.

You have to analyze the PCAP to find the solutions to the following questions:

1. Which IP addresses are engaged in exfiltration execution (please specify all identified source and destination IP addresses)?

2. What approach is used to create a covert channel used to exfiltrate information from the target network?

3. If possible, can you identify and extract the exfiltrated sensitive administrative information?

This challenge is not related to main forensic scenario.