June 2021 Forensic Contest

https://isc.sans.edu/forums/diary/June+2021+Forensic+Contest/27532/

Preparation

First, download and unzip (pass:infected) the pcap:

wget <https://github.com/brad-duncan/June-2021-forensic-quiz/raw/main/June-2021-forensic-contest.pcap.zip>

The infected Windows host is part of an AD environment.

The user account is formatted as firstname.lastname.

LAN segment range: 10.6.15.0/24 (10.6.15.0 through 10.6.15.255)
Domain: saltmobsters.com
Domain Controller: 10.6.15.5 - Saltmobsters-DC
LAN segment gateway: 10.6.15.1
LAN segment broadcast address: 10.6.15.255

Following the suggestion from Brad, I'll start by splitting the pcap into separate pcaps by host. Using Endpoints from the Statistics menu, I can find the IPs of the machines in the 10.6.15.0/24 subnet: .93, .119, .187. The Endpoints menu also gives the ethernet (MAC) addresses which, when resolved, gives us one Cisco, one Dell, and three ASUSTekC adapters (.1, .5, then the three other IPs). I'm going to use the IPs, so a filter for ip.addr==10.6.15.93 then Export Specified Packets from the File menu (and repeat for .119 and .187).

Questions

IP addresses of the infected Windows computers.

Let's start with Export Objects → HTTP. This can show if any malware was downloaded.