5,2 CYBRScore lab 3

ISE 640 Lab Six Guidelines and Rubric Log Correlation

Overview: You will be completing several labs throughout this course. The purpose of these labs is twofold:

 The experience will provide you with valuable opportunities to “walk a mile” in the shoes of a forensic practitioner performing basic forensic tasks. Gaining this type of experience is necessary in managing and relating to the individuals and teams with whom you will interact with in the field.

 Practice the communication and writing skills you will need to employ in both pieces of your final project. It is important to note that these activities are important to your final project but do not share the same scenario as your final project. They are practice opportunities that focus on a specific but smaller set of topics and skills. You will complete a lab “briefing” paper and submit it to your instructor for grading. A template of this brief is provided for you. Scenario: In the previous labs, Labs 2 and 3, you were given the following scenario: While working for ACME Construction Company, you have been tasked with an investigation of a Windows 8 hard drive. You have been told that your company suspects a high-level employee of a policy violation. It is believed that Drew Patrick wrongfully copied sensitive corporate documents containing valuable intellectual property (IP) to his personal computer. Further, there is reason to believe that he may have then provided the documents to a competitor. Due to the value of the IP, the investigation has moved from a simple incident response to a forensic investigation. In Lab 2, you finished creating and verifying an image for use in the forensic lab. Lab 3 had you looking for anything unusual on the suspect’s computer that may indicate that Drew was covering his tracks. Evidence of a separate anonymous login was found. Lab 6 will have you analyzing log files to determine the details surrounding a Windows server that was accessed possibly in relation to the IP incident you were investigating earlier. Although the server in question was not Drew’s desktop computer, evidence may be found in many different places during the course of an investigation. Snort is a tool that is used to perform log correlation and is often used by the security operations center (SOC) in daily analysis as well as in investigations. You will have the opportunity to configure and use Snort in the lab. *There is one extra step that will be required in the lab. Under the “Splunk Log Correlation” section, Step 1 has you start Splunk. The lab version of Snort is unlicensed and you will need to select the “Free license,” then follow the prompts to restart the instance of Snort.

Be certain to properly document your investigation, including capturing a screenshot of the anonymous login, the administrator login, and the final evidence from the physical security log. Prompt: In your report, be sure to address the following critical elements:

1. Provide a brief summary of the lab. What did you do in the lab? How did it work? What did you look for/find? 2. Briefly describe the specific practices or resources that were most important in supporting the investigation and maintaining evidentiary integrity in this

lab. For example: a) Chain of custody practices b) Digital forensic tools c) Incident response tactics

3. Briefly describe best practices or resources necessary in terms of next steps in this lab scenario. 4. Include screenshots that support #2 and #3 in your briefing. 5. Ensure your entire briefing is appropriate to your internal audience, employing brevity and consumable language (in this lab, your audience will be your

teammates/company attorneys/executive team).

Rubric

Critical Elements Proficient (100%) Needs Improvement (75%) Not Evident (0%) Value

Lab Summary Provides brief summary of the lab Provides brief summary of the lab, but summary is cursory or contains inaccuracies

Does not provide lab name and brief summary of the lab

19

Specific Practices or Resources

Briefly describes specific practices or resources that were most important in supporting the investigation and maintaining evidentiary integrity in this lab

Describes specific practices or resources that were most important in supporting the investigation and maintaining evidentiary integrity in this lab but rationale is illogical, inaccurate, or lacks necessary details

Does not describe specific practices or resources

19

Next Steps Briefly describes best practices or resources necessary in terms of next steps in this scenario

Briefly describes best practices or resources necessary in terms of next steps in this scenario, but rationale is illogical, inaccurate, or lacks necessary details

Does not describe best practices or resources

19

Screenshots Includes screenshots that directly support practices and necessary resources

Includes screenshots, but does not include all necessary screenshots required or those provided do not directly support practices and necessary resources

Does not include screenshots 19

Critical Elements Proficient (100%) Needs Improvement (75%) Not Evident (0%) Value

Internal Audience Appropriate to internal audience, employing brevity and consumable language

Submission is appropriate to internal audience but does not employ brevity or consumable language

Submission is not appropriate to internal audience

19

Articulation of Response

Submission has no major errors related to citations, grammar, spelling, or organization

Submission has some errors related to citations, grammar, spelling, or organization that negatively impact readability and articulation of main ideas

Submission has critical errors related to citations, grammar, spelling, or organization that prevent understanding of ideas

5

Total 100%