Challenge 1-Badge and Network Traffic
An embassy employee is suspected of sending data to an outside criminal organization from the Embassy.
We are providing two data sets to analyze. The first is a proximity (prox) card log. Prox cards are badges with electronic tags assigned to each Embassy employee. The cards are used to access the Embassy and areas of limited access within the Embassy. Each data record contains an employee number, prox card number, date/time of use and location of use. The data consists of logs covering a period of one month. The second set is a month’s worth of network traffic logs. Each employee has been assigned a desktop computer with a static IP address for use in their daily duties. The network traffic log data consists of the computer IP address, the employee number of the assigned user, outgoing and incoming activity from the computer including destination site, payload (request and response data) and port number.
Table 1: Example Prox Card data. The embassy is outfitted with prox card readers on the entrance to the building as well as the door to the restricted area inside the embassy. Employees generally badge into the building (i.e., actually present their badge to the badge reader) but may occasionally go against policy and piggyback (enter the building without badging in by following a coworker who did badge in). However, employees are required to prox into and out of the restricted area and no piggybacking is allowed. No records are kept of employees leaving the building. The data consist of a CSV file with values of the event datetime, the employee id, and the type of event (prox-in-building, prox-in-classified, prox-out-classified).
User Warning
prox-in-building
employee ID
event
Synthetic Data
2008-01-01T08:03
51
prox-in-classified
Synthetic Data
2008-01-01T08:05
29
prox-in-building
Synthetic Data
2008-01-01T08:06
51
prox-out-classified
Synthetic Data
2008-01-01T08:08
2
prox-in-building
Synthetic Data
2008-01-01T08:11
23
prox-in-building
Table 2: Example IP Traffic data. Employees of the embassy have static IP addresses on their unclassified machines. Traffic on these machines is routinely monitored in case an employee is suspected of non-governmental use of their machine (reading too many chinchilla blogs). The data contains the sizes in bytes of the request (called request payload) and the response (called response payload), the port, the source IP address and the destination IP address.
USER WARNING SourceIP AccessTime DestIP Socket ReqSize RespSize
Synthetic Data 55.170.100.11 2008-10-01-08:02:54:985 242.82.167.209 80 1174 5370
Synthetic Data 55.170.100.20 2008-10-01-08:03:14:911 202.182.69.85 80 950 5302
Synthetic Data 55.170.100.32 2008-10-01-08:03:17:980 88.244.136.106 80 243 5478
Synthetic Data 55.170.100.32 2008-10-01-08:03:26:540 201.10.130.54 80 630 2945
Synthetic Data 55.170.100.18 2008-10-01-08:03:29:424 191.201.20.153 80 1197 5682
Synthetic Data 55.170.100.22 2008-10-01-08:03:31:445 55.170.30.100 80 225 6613
Questions/Tasks:
MC1.1 Identify which computer(s) the employee most likely used to send information to his contact in a tab-delimited table which contains for each computer identified: when the information was sent, how much information was sent and where that information was sent.
Please name the file: Traffic.txt
A sample answer would look like this if you think 2 computers were used, each one time. (Practically you just need to cut and paste the rows of the data table which are the evidence for your hypothesis).
USER WARNING SourceIP AccessTime DestIP Socket ReqSize RespSize
Synthetic Data 55.170.100.11 2008-10-01-08:02:54:985 242.82.167.209 80 1174 5370
Synthetic Data 55.170.100.20 2008-10-01-08:03:14:911 202.182.69.85 80 950 5302
MC1.2 Characterize the patterns of behavior of suspicious computer use. Provide a Detailed Answer.
Provide a video showing how you conducted the analysis (one video per challenge entry, mini or grand).