In modern network environments, monitoring and analyzing traffic is crucial for detecting and mitigating security incidents. This lab presents a network forensic challenge where an internal server has been flagged for unusual outbound connections to an unknown external IP. Initial analysis suggests possible data exfiltration, and the goal of this investigation is to determine the source and method of compromise by examining network logs and captured packets. Using Wireshark we will analyze various network protocols, including FTP, DNS, TLS, and HTTP, to uncover key artifacts and trace the suspicious activity. By filtering and dissecting packets, we will identify potential credentials exposure, unauthorized file transfers, and encrypted communications, which may provide insight into how the system was accessed and what data may have been exfiltrated. Through this walkthrough, we will extract sensitive metadata, analyze network-based authentication attempts, and follow the footprints left by the attacker within the network traffic. By methodically inspecting each protocol, we aim to identify indicators of compromise (IOCs) and determine whether malicious actors leveraged misconfigurations or plaintext transmissions to infiltrate the system.
The File Transfer Protocol (FTP) is a widely used protocol for transferring files betw