READING AND RESOURCES

Read Chapters 11 and 12 in System Forensics, Investigation, and Response.

Chapter 11 introduces you to mobile forensics and working with smartphones for forensic purposes. Mobile forensics is a very important topic because mobile devices are used by almost everyone. These devices can be a veritable treasure trove of forensic evidence. You will learn about the fundamental of mobile devices and how to extract forensic evidence from these devices.

Chapter 12 introduces you to network forensics and working network analysis for forensic purposes. The data being communicated over network as packet forms the evidence and network packet analysis is central to network forensics. You will explore network traffic analysis, router forensics, and firewall forensics.

LAB DETAILS

Unit 5 Lab: Analyzing Evidence with Network Forensics Tools

Outcomes addressed in this activity:

Unit Outcomes:

• Evaluate tools and techniques for mobile device forensics.
• Examine network device logs for evidence in a forensic case.

Purpose

In this lab, you will use two very powerful network forensic analysis tools, Wireshark® and NetWitness Investigator®, to examine the same File Transfer Protocol (FTP) traffic capture file and compare the results of each.

Lab Instructions

FTP is a protocol that is used extensively in business and social communications to move files between a host and a client. Just about every time you download something from an Internet site, you are using a version of FTP to manage the process. It is the most frequently used file transfer tool, but it is vulnerable. You will explore the protocol capture file to see how FTP’s cleartext transmission can endanger an organization.

Access the lab link entitled “Decoding an FTP Protocol Session for Forensic Evidence” in this lab section.

The following resources will help you get oriented in the lab environment: Common Lab Tasks Manual and J and B Lab Tips. The manual will provide detail and the tips are a very abbreviated reference.

In the lab environment, you will find instructions for the specific lab, which can be downloaded. Follow the instructions.

Use the Unit 5 Lab Worksheet to record and submit your results.

This lab has two parts, which should be completed in the order specified.

• In the first part of the lab, you will use Wireshark to examine a protocol capture file and identify the specifics of an FTP transmission.
• In the second part of the lab, you will use NetWitness Investigator to examine that same protocol capture file and identify further specifics of an FTP transmission.

Lab Requirements

The following software and/or utilities are required to complete this lab. Students are encouraged to explore the Internet to learn more about the products and tools used in this lab.

• NetWitness Investigator
• Wireshark

Your lab report in should include the following:

• Title page.
• Forensic protocol analysis on an FTP protocol capture file using Wireshark and NetWitness Investigator.
• Examination of evidence of client and server FTP communications at the protocol level.
• Identification of FTP login credentials as part of a forensic investigation.
• Identification of FTP client/server TCP/IP communications and dialogue.
• Comparison of Wireshark and NetWitness Investigator as a forensic analysis tool for protocol analysis.
• Provide a summary of the findings.
• Reference list in APA format.

Lab Requirements

All lab steps are completed, including screenshots and explanations where required. Lab question answers contain sufficient information to adequately address the questions. The lab report and the answers are accurate and complete, as well as free from grammar and spelling errors.

For assistance with APA requirements, please go to Academic Writer. You will find the link in the Academic Tools section of the course.

Also review the Policy on Plagiarism. This policy will be strictly enforced on all applicable activities. If you have any questions, please contact your professor.