Investigation Objectives
Wireshark Terminal
Analysis Notes
Evidence Board
==========================================
PCAP FORENSICS WORKSTATION
==========================================
TShark Version: 3.6.2
Available PCAP: breach.pcap
CASE: Suspected data breach at TechCorp Industries
Your mission: Analyze the capture and determine what happened.
System Ready. Type 'help' for available commands.
forensics@wireshark:~$
Investigation Notes
Document your findings as you analyze the breach...
Indicators of Compromise (IOCs)
IP Addresses
Domains
File Hashes
Attack Timeline Builder
1. Initial Compromise
2. Reconnaissance
3. C2 Establishment
4. Data Exfiltration
Drag Events to Timeline (click to place):
Suspicious DNS to evil-c2.com
HTTP POST with database dump
Multiple internal DNS queries
Phishing email attachment opened