https://github.com/augustinefosumanu/proprietary-recipe-data-breach

This lab focuses on investigating a suspected insider compromise involving unauthorized disclosure of proprietary confectionery recipes at a fictional corporation.
https://github.com/augustinefosumanu/proprietary-recipe-data-breach

bash data-triage evidence-compilation forensics-investigations linux log-analysis network-security

Last synced: 3 months ago
JSON representation

This lab focuses on investigating a suspected insider compromise involving unauthorized disclosure of proprietary confectionery recipes at a fictional corporation.

• Host: GitHub
• URL: https://github.com/augustinefosumanu/proprietary-recipe-data-breach
• Owner: augustinefosumanu
• Created: 2025-01-26T17:48:53.000Z (9 months ago)
• Default Branch: main
• Last Pushed: 2025-02-24T01:03:48.000Z (8 months ago)
• Last Synced: 2025-02-24T02:22:02.416Z (8 months ago)
• Topics: bash, data-triage, evidence-compilation, forensics-investigations, linux, log-analysis, network-security
• Homepage:
• Size: 99.6 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Insider Threat Forensics Lab: Investigating Data Breaches at Candy Corp

(Ficticious Organization)

 Lab 

In this lab, I assumed the role of a junior cybersecurity administrator tasked with investigating a critical data breach at Candy Corp. The lab focused on:


-  Forensic Evidence Management: Constructing secure repositories to catalog and analyze logs, emails, and digital artifacts tied to insider threats.


-  Insider Threat Analysis: Identifying collusion between employees leaking proprietary recipes to a competitor, Sugar Corp.


-  Critical Data Recovery: Locating hidden sensitive data, analyzing encrypted files, and isolating evidence tied to stolen intellectual property.


-  Court-Ready Reporting: Compiling a comprehensive evidence dossier to support legal action.


 Step 1: Navigating to secure my workspace 

I navigate into the take_5 directory using the cd command, stepping into my designated forensic workspace. Think of this folder as a virtual crime scene—carefully quarantined to maintain the integrity of the evidence within.





Step 2: Creating a Case-Specific Investigation Folder 

I use the mkdir command to create the 'Internal_Investigation_Employee_A' folder, following a clear and precise naming convention to ensure it is dedicated exclusively to this suspect's activities. To confirm I am in the correct directory, I run pwd. This verification step is critical— even a minor typo could lead to unintended modifications of live system files. By double-checking, I also ensure the folder was created successfully, avoiding potential errors from working in an incorrect location later on.







Step 3: Initializing Core Evidence Files 

I navigate into the dedicated investigation folder to ensure that all files are created in the correct location. Upon discovering that 'web_evidence' is irrelevant (as Candy Corp has no web logs), I delete it using the rm command, adapting my investigation approach as new information arises. I then use ls to list the directory and verify that all necessary files are present. Missing a file at this stage could result in overlooked evidence later in the process.









Step 4: Creating a Second Investigation Directory  

I use the mkdir command to create the 'Internal_Investigation_Employee_B' folder. This naming convention maintains clarity by distinctly separating the investigation data for each suspect.





Step 5: Reassigning Evidence with Absolute Paths 

By using mv with absolute paths, I ensure that I'm explicitly targeting the correct file and destination, regardless of my current working directory. This approach prevents accidental misplacement of files during the process.





Step 6: Copying Shared Log Evidence with Absolute Paths 

Using cp with absolute paths ensures I'm referencing the precise source and destination, preventing accidental overwrites or misplacements.





Step 7: Auditing Directories to Verify Evidence Integrity 

Employee A’s folder now contains only 'log_evidence' and 'web_evidence,' as the 'email_evidence' file was moved to Employee B’s directory, based on the updated information that the email leaks are associated with B. Employee B’s folder now holds both 'email_evidence' (moved from A) and 'log_evidence' (copied from A). This ensures that shared logs are preserved for cross-analysis while isolating the email-specific evidence to Employee B's investigation.










Step 8: Navigating to the Forensic Workspace 

I use cd to navigate to the centralized forensic workspace, a directory pre-configured by my manager to store all evidence related to the insider threat investigation.





  

Step 9: Inspecting Henry’s Files 

I move into the 'Henry' subdirectory using cd, which contains all files extracted from Henry’s workstation. Then, I use ls to list all files within the directory for review.





Step 10: Previewing Henry’s Files 

By using head with the -n option, I can preview the contents of the files to determine which ones are readable and which are obfuscated.







Step 11: Removing Non-Readable Files 

I use rm to remove all non-readable files from the directory, ensuring that only relevant and accessible evidence remains for analysis.





Step 12: Switching Focus to Ruth’s Directory 

I use cd ../Ruth to move up one level to the parent folder and then navigate into Ruth’s dedicated directory. Once there, I use ls to list all files within the directory for review.





Step 13: Previewing Ruth’s Files 

Using head with the -n option allows me to preview the files, helping to identify which ones are readable and which are obfuscated.









Step 14: Removing Non-Readable Files 

I use rm to remove all non-readable files from the directory, ensuring that only relevant, accessible files remain for further analysis.





Step 15: Navigating to the Central Evidence Directory 

I use cd to navigate to the dedicated investigation directory, a pre-configured folder designed to securely house all evidence and prevent any accidental interaction with live systems.





Step 16: Creating a Dedicated Directory for Combined Evidence 

I use mkdir to create the 'Evidence_for_Authorities' directory. Then, using the ls command, I confirm that the 'Evidence_for_Authorities' directory now exists alongside Henry's and Ruth's directories.





Step 17: Navigating through directories to gather potential evidence 

I use the cd command to navigate into the suspected directories, using ls along the way to list the contents and confirm that I am in the correct location.





Step 18: Copying files into the ‘Evidence_for_authorities’ directory 

I use the cp command with an absolute path to copy the identified files into the 'Evidence_for_Authorities' directory, ensuring they are safely placed in the correct location. Before executing the command, I preview the text documents using less to confirm that the content is readable. To maintain a clear record, I ensure that the filenames remain unchanged during the copy process. Afterward, I run ls within the directory to verify that the files were successfully copied.







Step 19: Concatenating all potential evidence into a single file 

I use the cat command to concatenate all the evidence files into a single file named 'Candy-Evidence.txt' within the 'Evidence_for_Authorities' directory. Afterward, I use head to check the contents of the file, ensuring that the data has merged correctly without any errors.





Step 20: Navigating into the working directory 

I use the cd command to enter the designated working directory for this investigation. Then, I use ls to confirm that the expected log files are present before proceeding.





Step 21: Counting the number of connections to IP address 

I use the wc -w command to count the number of words in each log file, with each word corresponding to an IP address. This command outputs the total word count for each file, which indicates the number of IP connections per website.





Step 22: Navigating into the working directory 

Using the cd command, I navigate to the designated working directory where the investigation will be conducted.





Step 23: Searching for directories with the word “secret” 

I use the find command to search for directories with 'secret' in their names. This command searches recursively within the specified path, identifying all directories (denoted by -type d) containing 'secret' in their name, regardless of case (using -iname).





Step 24: Searching for all files with the word “recipe” 

I use the find command to search for files with 'recipe' in their names. This command searches recursively within the specified directory for files (-type f) that contain 'recipe' in their name, ignoring case sensitivity (-iname).





Step 25: Navigating into the working directory 

I use the cd command to navigate into the designated working directory. Additionally, I run ls to verify that the expected files and folders are present before proceeding.





Step 26: Finding all recipes with guavaberries 

I use the grep -i command to search for the keyword 'guavaberry' across all recipe files in the working directory. This command scans all text files for case-insensitive matches, ensuring that all relevant instances are identified.





Step 27: Navigating into the working directory 

I use the cd command to navigate into the designated working directory, ensuring I'm in the correct location to carry out the investigation.





Step 28: Creating the ‘Sugar_Evidence’ directory 

I use the mkdir command to create a new directory named 'Sugar_Evidence.' After creating the directory, I verify its existence by running ls in the parent directory to ensure it's been created successfully.





Step 29: Searching for emails referencing "sugar" 

I use the grep -i command to search for the term 'sugar' within the email files. This performs a case-insensitive search across all email files in the directory and redirects the results, including filenames and matching lines, into a file named 'sugar_email_evidence.' To quantify the occurrences, I pipe the output of the grep command to the wc command to count the number of matches.





Step 30: Searching for weblogs referencing Sugar Corp's IP address 

I use the grep -i command to search for the specific IP address associated with Sugar Corp across all weblog files. This command captures all occurrences of the IP address, including the filenames and matching lines, and saves the output to a file named 'web_evidence' for further analysis.





Step 31: Moving the Sugar web evidence file to the ‘Sugar_evidence’ directory 

I use the mv command with an absolute path to move the identified Sugar web evidence file into the 'Sugar_evidence' directory, ensuring proper organization and secure file placement.





Step 32: Moving the Sugar email evidence file to the ‘Sugar_evidence’ directory 

I use the mv command with an absolute path to move the Sugar email evidence file into the 'Sugar_evidence' directory, ensuring precise file relocation to the appropriate folder.





Step 33: Combining both the Sugar email evidence file and the Sugar web evidence file 

I use the cat command to concatenate both files into a single, consolidated file named 'Sugar_evidence_for_authorities.' Afterward, I use cat again to verify the contents of the newly created file in the 'Sugar_evidence' directory, ensuring accuracy and completeness.