DF Lab_SYS140wk15
The Secret of the Cookies
For this assignment, you will be examining digital evidence connected to a recent bank robbery:
Two suspects, John and Jane Doe, have been taken into custody in connection with the case.
The police suspect that there may be clues in the pair’s digital communication, so they have obtained a copy of John’s recent network traffic from his employer.
When Jane was detained, she had a thumbdrive in her possession that contained what claim to be recipes for various baked goods. However, the files are password-protected, so there’s no telling what those files may hold…
Lab Instructions
For this lab, we will be using Wireshark to examine John’s network traffic. This program is installed on your Skiff workstation, but you can also download it from https://www.wireshark.org/download.html.
Submission items for the lab will be BOLDED like this.
Download the lab materials:
The ChocolateTreat-Recipes zip file
The packet capture file (.pcap) of John’s network traffic
Open the .pcap file using Wireshark. You’ll see a lot of different types of network traffic there, but let’s start by examining John’s email.
Answer the following question: Do a quick Google search for email protocols. What are some possible email protocols that we can look for in Wireshark? Don’t forget to cite your source! (1 point)
SMTP - Simple Mail Transfer Protocol
IMAP - Internet Message Access Protocol
POP - Post office protocol
Near the top of the Wireshark window, you’ll see the display filter toolbar (it resembles the URL entry field in a browser). Type ‘tcp’ into the field and hit Enter. What happens to the packets below?
The packets are filtered by the type of protocol they were sent using. Packets sent over TCP protocol are highlighted.
Try typing in some of the email protocols you identified in Step 2a, and examine the results you get. Do any of these packets look suspicious?
If you highlight a particular packet, you can view the full details of it below the packet list. You can select different items in the packet detail window to expand and hide information.
One of these packets holds a clue! When you find it, take a screenshot of the packet details showing John’s message, and submit it as part of the lab. (1 point)
The message from step 4a mentions “instant messaging.” One possibility is that John used a web client to send his messages, which means he would have used the standard application-layer protocol (HTTP) to send his message.
Answer the following question: Think back to the OSI model we discussed earlier in class. What layer of the model would HTTP reside in? (1 point)
HTTP is on the application layer of the osi model.
Type ‘http’ into Wireshark’s display filter toolbar and hit Enter. Do any of these packets look suspicious? (Hint: look for any mention of ‘chat’.)
Hidden somewhere in these packets is a password! Examine the list of packets to see if you can find it. When you do, take a screenshot of the password within the packet details and submit it as part of your lab. (1 point)
We have a password, but we don’t know what it’s for yet. Perhaps those files we found on Jane’s thumb drive?
Go through the Word files in the zip file you downloaded, and see if your password will let you view any of them.
Answer the following question: Where is the stolen money located? This can either be a screenshot or a text answer. (1 point)
Here is what you need to know: Go to Bret Harte Elementary School 1909 Queen Anne Road Cherry Hill, NJ 08003 From immediately behind the backstop of the baseball field at the rear of the school, enter the trail into the woods. Go 30 paces and you will see a large Oak Tree on the left. Dig on the north side of the trunk and you will find what you are looking for.
SUBMISSION SUMMARY:
Answer to question #2a
Screenshot from step #4b
Answer to question #5a
Screenshot from step #6a
Answer to question #8a
Last updated
