his assessable involves a scenario where you will need to use a variety of tools and approaches in the forensic analysis.
Security analysts at a critical infrastructure facility have received an alert indicating that some type of suspicious activity is occurring in the network, involving the IP address 192.168.1.30.
Specifically, unusual DNS traffic is either originating or terminating at thisparticular host.
As a forensic investigator, you are assigned the following mission:
Analyse the DNS traffic and determine the trail of suspicious activity,if at all such activity exists.
Determine the purpose of the unusual traffic generated as part of the the anomalous activity associated with the above IP address.
Upon confirmation of suspicious activity, recover as much informationas possible about the local and remote systems involved.
Collect and/or recover as many statistics as possible from the suspicous data.
Write up a report enlisting the summarised points of the case thatyou have studied through the analysis exercise.
Network architecture details:
1. The internal network is 192.168.1.0/24
2. DMZ: 10.1.1.0/24
3. The IP range 172.16.0.0/12 must be treated as the 'Internet'
4. 10.1.1.20 is the internal DNS server
5. Evidence is provided in the evidence-network-tunneling.pcap file