Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/augustinefosumanu/insider-threat-forensics

This lab focuses on investigating a suspected insider compromise involving unauthorized disclosure of proprietary confectionery recipes at a fictional corporation.
https://github.com/augustinefosumanu/insider-threat-forensics

bash data-triage evidence-compilation forensics-investigations linux log-analysis network-security

Last synced: 3 months ago
JSON representation

This lab focuses on investigating a suspected insider compromise involving unauthorized disclosure of proprietary confectionery recipes at a fictional corporation.

Awesome Lists containing this project

README 

          
# Insider Threat Forensics Lab: Investigating Data Breaches at Candy Corp

(Ficticious Organization)



 Lab 


In this lab, I assumed the role of a junior cybersecurity administrator tasked with investigating a critical data breach at Candy Corp. The lab focused on:



-  Forensic Evidence Management: Constructing secure repositories to catalog and analyze logs, emails, and digital artifacts tied to insider threats.


-  Insider Threat Analysis: Identifying collusion between employees leaking proprietary recipes to a competitor, Sugar Corp.


-  Critical Data Recovery: Locating hidden sensitive data, analyzing encrypted files, and isolating evidence tied to stolen intellectual property.


-  Court-Ready Reporting: Compiling a comprehensive evidence dossier to support legal action.



  Navigating to secure my workspace 


I navigated into the 'take_5' directory using the cd command, stepping into my designated forensic workspace. This folder functioned as a virtual crime scene—carefully quarantined to preserve the integrity of the evidence within.







Navigating into take_5 Directory



 Creating a Case-Specific Investigation Folder 


I used the mkdir command to create the 'Internal_Investigation_Employee_A' folder, following a clear and precise naming convention to ensure it was dedicated exclusively to this suspect's activities. To confirm I was in the correct directory, I ran pwd. This verification step was critical— even a minor typo could have led to unintended modifications of live system files. By double-checking, I also ensured the folder was created successfully, preventing potential errors from working in the wrong location later on.







Creating Internal_Investigation_Employee_A Directory

Navigating into Internal_Investigation_Employee_A Directory



 Initializing Core Evidence Files 


I navigated into the dedicated investigation folder to ensure all files were created in the correct location. Upon discovering that 'web_evidence' was irrelevant (as Candy Corp had no web logs), I deleted it using the rm command, adapting my investigation approach as new information emerged. I then used ls to list the directory and verify that all necessary files were present. Missing a file at this stage could have led to overlooked evidence later in the process.







Creating multiple files within the current directory

Deleting a file

Listing all files created



 Creating a Second Investigation Directory  


I used the mkdir command to create the 'Internal_Investigation_Employee_B' folder. This naming convention maintained clarity by distinctly separating the investigation data for each suspect.







Creating additional directory



 Reassigning Evidence with Absolute Paths 


By using mv with absolute paths, I ensured that I was explicitly targeting the correct file and destination, regardless of my current working directory. This approach prevented accidental misplacement of files during the process.







Moving files to another directory



 Copying Shared Log Evidence with Absolute Paths 


Using cp with absolute paths ensured I was referencing the precise source and destination, preventing accidental overwrites or misplacements.







Copying files to another directory



 Auditing Directories to Verify Evidence Integrity 


Employee A’s folder now contains only 'log_evidence' and 'web_evidence,' as the 'email_evidence' file was moved to Employee B’s directory, based on updated information linking the email leaks to B. Employee B’s folder now holds both 'email_evidence' (moved from A) and 'log_evidence' (copied from A). This ensures that shared logs are preserved for cross-analysis, while isolating the email-specific evidence to Employee B's investigation.







Checking files in Internal_Investigation_Employee_A directory

Checking files in Internal_Investigation_Employee_B directory





 Navigating to the Forensic Workspace 


I used cd to navigate to the centralized forensic workspace, a directory pre-configured by my manager to store all evidence related to the insider threat investigation.







Navigating to oh_henry directory

  

 Inspecting Henry’s Files 


I moved into the 'Henry' subdirectory using cd, which contains all files extracted from Henry’s workstation. Then, I used ls to list all files within the directory for review.







Navigating into Henry directory



 Previewing Henry’s Files 


By using head with the -n option, I previewed the contents of the files to determine which ones were readable and which were obfuscated.







Previewing files

Previewing files



 Removing Non-Readable Files 


I used rm to remove all non-readable files from the directory, ensuring that only relevant and accessible evidence remained for analysis.







Removing files



 Switching Focus to Ruth’s Directory 


I used cd ../Ruth to move up one level to the parent folder and then navigated into Ruth’s dedicated directory. Once there, I used ls to list all files within the directory for review.







Navigating into Ruth directory



 Previewing Ruth’s Files 


Using head with the -n option allowed me to preview the files, helping to identify which ones were readable and which were obfuscated.







Previewing files

Previewing files

Previewing files



 Removing Non-Readable Files 


I used rm to remove all non-readable files from the directory, ensuring that only relevant, accessible files remained for further analysis.







Removing files



 Navigating to the Central Evidence Directory 


I used cd to navigate to the dedicated investigation directory, a pre-configured folder designed to securely house all evidence and prevent any accidental interaction with live systems.







Navigate into working directory



 Creating a Dedicated Directory for Combined Evidence 


I used mkdir to create the 'Evidence_for_Authorities' directory. Then, using the ls command, I confirmed that the 'Evidence_for_Authorities' directory now existed alongside Henry's and Ruth's directories.







Creating a new directory



 Navigating through directories to gather potential evidence 


I used the cd command to navigate into the suspected directories, using ls along the way to list the contents and confirm that I was in the correct location.







Gathering evidence



 Copying files into the ‘Evidence_for_authorities’ directory 


I used the cp command with an absolute path to copy the identified files into the 'Evidence_for_Authorities' directory, ensuring they were safely placed in the correct location. Before executing the command, I previewed the text documents using less to confirm that the content was readable. To maintain a clear record, I made sure the filenames remained unchanged during the copy process. Afterward, I ran ls within the directory to verify that the files were successfully copied.







Copying evidence

Copying evidence



 Concatenating all potential evidence into a single file 


I used the cat command to concatenate all the evidence files into a single file named 'Candy-Evidence.txt' within the 'Evidence_for_Authorities' directory. Afterward, I used head to check the contents of the file, ensuring that the data had merged correctly without any errors.







Candy-evidence file



 Navigating into the working directory 


I used the cd command to enter the designated working directory for this investigation. Then, I used ls to confirm that the expected log files were present before proceeding.







Navigating into working directory



 Counting the number of connections to IP address 


I used the wc -w command to count the number of words in each log file, with each word corresponding to an IP address. This command outputted the total word count for each file, indicating the number of IP connections per website.







Number of connections



 Navigating into the working directory 


Using the cd command, I navigated to the designated working directory where the investigation would be conducted.







Naviagting into PeanutButtery.net directory



 Searching for directories with the word “secret” 


I used the find command to search for directories with 'secret' in their names. This command searched recursively within the specified path, identifying all directories (denoted by -type d) containing 'secret' in their name, regardless of case (using -iname).







Secret directories



 Searching for all files with the word “recipe” 


I used the find command to search for files with 'recipe' in their names. This command searched recursively within the specified directory for files (-type f) that contained 'recipe' in their name, ignoring case sensitivity (-iname).







Recipe files



 Navigating into the working directory 


I used the cd command to navigate into the designated working directory. Additionally, I ran ls to verify that the expected files and folders were present before proceeding.







Navigating into working directories



 Finding all recipes with guavaberries 


I used the grep -i command to search for the keyword 'guavaberry' across all recipe files in the working directory. This command scanned all text files for case-insensitive matches, ensuring that all relevant instances were identified.







Search for guavaberries



 Navigating into the working directory 


I used the cd command to navigate into the designated working directory, ensuring I was in the correct location to carry out the investigation.







Navigating into directory



 Creating the ‘Sugar_Evidence’ directory 


I used the mkdir command to create a new directory named 'Sugar_Evidence.' After creating the directory, I verified its existence by running ls in the parent directory to ensure it had been created successfully.







Creating a new directory



 Searching for emails referencing "sugar" 


I used the grep -i command to search for the term 'sugar' within the email files. This performed a case-insensitive search across all email files in the directory and redirected the results, including filenames and matching lines, into a file named 'sugar_email_evidence.' To quantify the occurrences, I piped the output of the grep command to the wc command to count the number of matches.







List and number of emails



 Searching for weblogs referencing Sugar Corp's IP address 


I used the grep -i command to search for the specific IP address associated with Sugar Corp across all weblog files. This command captured all occurrences of the IP address, including the filenames and matching lines, and saved the output to a file named 'web_evidence' for further analysis.







List and number of IPs



 Moving the Sugar web evidence file to the ‘Sugar_evidence’ directory 


I used the mv command with an absolute path to move the identified Sugar web evidence file into the 'Sugar_evidence' directory, ensuring proper organization and secure placement of the file.







Moving a file



 Moving the Sugar email evidence file to the ‘Sugar_evidence’ directory 


I used the mv command with an absolute path to move the Sugar email evidence file into the 'Sugar_evidence' directory, ensuring precise relocation to the correct folder.







Moving a file



 Combining both the Sugar email evidence file and the Sugar web evidence file 


I used the cat command to concatenate both files into a single, consolidated file named 'Sugar_evidence_for_authorities.' Afterward, I used cat again to verify the contents of the newly created file in the 'Sugar_evidence' directory, ensuring accuracy and completeness.







Combining files