Network Forensics Lab 5

Notes:

● All answers must be in complete sentences for full credit.

● Reminder: Experiment with these tools in VMWare. Use of some of these

tools outside a closed environment for the purpose other than this lab is not
sanctioned and may be in violation of policy or law.

Objective:

● The purpose of this exercise is to give you experience with some networking
concepts essential for network forensics.

Terms:

ARP-Address Resolution Protocol. ARP is used to find the hardware address of a

host. (IP addresses are translated to MAC addresses.)

DNS-Domain Name System. The DNS translates host names into IP addresses.

ICMP-Internet Control Message Protocol. ICMP is used to send networking error

messages. Ping uses ICMP.

RST-Reset a connection.

SYN-Synchronize. Request a web service. ACK-Acknowledge. Acknowledge the

request.

TCP-Transmission Control Protocol. This is a protocol used for transferring files

across the Internet.

Three-way handshake: When a client requests an internet service, a SYN

request is sent to the host. The host responds with a SYN-ACK. When the client
receives the SYN-ACK, the client responds with an ACK.

1 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir
 Network Forensics Lab 5

In your Windows VMWare:

Software to Install:

● NirSoft
o Go to: http://www.nirsoft.net/web_browser_tools.html
o Download and install the Cookie viewer tool (IECookieViewer and a
viewer for another browser of your choice, such as
ChromeCookiesView)
o Read the information provided on the website prior to downloading and
installing the programs
● Wireshark
o If it is not installed on your computer already, you can download it
from http://www.wireshark.org/ .
● Keylogger
o Go to: http://www.spyarsenal.com and download Golden or Family
KeyLogger.
o Decompress the files if necessary.
o You will have to disable the AntiVirus auto-protect before you can run
the software.

Packet Sniffing:

Wireshark is a packet sniffer. We will use it to capture and analyze network traffic.
If it is not installed on your computer already, you can download it from
http://www.wireshark.org/ .

First, you need the IP address of the machine you are working on. Do you
remember how to do this? Go to Start->Run… and type in:

command

ipconfig

2 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir
 Network Forensics Lab 5

exit

Hint: You may need to cd to the correct directory, for example C:\Windows\
System32

Note your IP address. In the lab, this will be the third number that appears (Local
Area Connection: 192.168.1.X). ________________________________________

Run Wireshark (Start->Programs->Wireshark).

o Choose Capture->Options
o Be sure Intel ® ProAdapter 100MT (or whatever your Ethernet adapter is) is
selected from the drop-down menu.
o Be sure the Capture packets in promiscuous mode check box is selected.
(Promiscuous mode means that Wireshark will read all the network traffic
routed through this machine, whether it is intended for this machine or not.)
o Choose the update list of packets in real time check box
o Choose to stop after 500 packets.
o Accept other default settings.

Next we are going to have you generate some traffic for you to look at by going to
a very simple test page.

o Open a browser and go www.amazon.com

o Select books from the dropdown
o Search for Computer Forensics
o Select a book, change the quantity to 3 and Add to Cart

Back in Wireshark, choose: Stop.

Double click on each packet to examine its contents. Did you find the name you
entered? If not, you can try searching…

Searching packets:

3 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir
 Network Forensics Lab 5

o Select: “Find a packet…” icon.

o Choose: String
o Filter: Type in POST
o Select: “Packet Details.”
o Choose: Find

This is telling Wireshark to locate packets where data was entered on a website. A
busy network will generate a lot of traffic, so using filters and searches will help you
locate packets of interest quickly.

Let’s try eavesdropping on LAN traffic. This time:

o Choose Capture->Options
o Be sure Intel ® ProAdapter 100MT (or whatever server adapter is installed)
is selected from the drop-down menu.
o Be sure the Capture packets in promiscuous mode check box is selected.
o Choose the update list of packets in real time check box
o Choose to stop after 500 packets.
o Accept other default settings.
o Choose Start
o Try pinging your Virtual Machine from your “regular” computer

Try some experiments on your own! Make a request of a web page and see if you
can capture the [SYN], [SYN, ACK], [ACK] sequence of packets as the three way
handshake is completed.

Internet History and Cookies:

A cookie is a file created by a web browser that is saved to the client machine.
Cookies are often used to save settings and track usage. There are a number of
freeware tools you can use to read the cookie log files. To make this experiment
easier, open Internet Explorer and choose Tools-> Internet Options->Privacy->

4 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir
 Network Forensics Lab 5

Advanced ->Accept all cookies. Browse a couple of websites in Internet

Explorer/Edge to be sure some cookies have been saved.

Run Nirsoft and view the cookies on your system.

Repeat this using another browser like Chrome.

Poking around:

Launch SSH and log in to your mason.gmu.edu account to explore some Unix
networking commands:

Netstat: View active IP Sockets:

>/usr/bin/netstat –a|more

Configures or displays network interface parameters:

>/usr/sbin/ifconfig -a

ARP –Address Resolution Protocol (lists a table of hosts and IP addresses)

>/usr/sbin/arp -a

Software Keylogging:

Go to: http://www.spyarsenal.com/keylogger/ and download Home or Golder

KeyLogger. Decompress the files if necessary.

You will have to disable the AntiVirus auto-protect before you can run the software.

5 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir
 Network Forensics Lab 5

1) Run the FamilyKeyLogger-setup. Experiment with this program. Then answer

Review Questions 6-8. Make sure you know how to make the icon visible in the
system tray and view the log.

Try some experiments on your own!

6 ©2007, updated 2014, 2015, 2017, 2021, 2022 Anne Marchant, Rebecca J. Pollard, Alex Mbaziir