To determine the length of Ping of Death (PoD) packets in bytes from the provided network traffic

capture (android.pcapng), follow these steps:

Open the Capture File:

Use a network analysis tool like Wireshark to open the android.pcapng file.

Filter for PoD Packets:

Apply filters to isolate ICMP echo request packets (Ping packets) and specifically look for oversized

packets characteristic of a Ping of Death attack.

Analyze Packet Length:

Examine the packet details to determine the length of the packets involved in the attack. PoD packets

are typically malformed and exceed the standard 65,535 bytes limit, but in this case, the length is

identified as 54 bytes.

Reference:

Wireshark documentation and usage: Wireshark User Guide

Analysis of Ping of Death attacks: CERT Advisory

RFID (Radio Frequency Identification) is a short-range wireless communication technology that uses

radio waves to identify and track objects. RFID tags are attached to objects and RFID readers scan the

tags to obtain the information stored in them. RFID is commonly used for access control, inventory

management, and identification3. Reference: What is RFID?

Anomaly detection is a type of IDS detection method that involves first creating models for possible

intrusions and then comparing these models with incoming events to make a detection decision. It

can detect unknown or zero-day attacks by looking for deviations from normal or expected behavior

Masking is the technique that Andre employed in the above scenario. Masking is a deidentification

technique that can replace the critical information in database fields with special characters such as

asterisks (*) and hashes (#). Masking can help protect sensitive data from unauthorized access or

disclosure, while preserving the format and structure of the original data . Tokenization is a

deidentification technique that can replace the critical information in database fields with random

tokens that have no meaning or relation to the original data. Hashing is a deidentification technique

that can transform the critical information in database fields into fixed-length strings using a

mathematical function. Bucketing is a deidentification technique that can group the critical

information in database fields into ranges or categories based on certain criteria.

Geofencing is a technique that uses GPS features to determine the proximity of a user’s mobile

device to an exact location. Geofencing can be used to create a virtual barrier positioned at a static

location to interact with mobile users crossing the barrier. Geofencing can be used for marketing,

security, and tracking purposes2.

Reference: What is Geofencing?

Security event log is the type of event log analyzed by Tenda in the above scenario. Windows Event

Viewer is a tool that displays logged data about various events that occur on a Windows system or

network. Windows Event Viewer categorizes event logs into different types based on their source

and purpose. Security event log is the type of event log that records events related to Windows

security; specifically, log-on/log-off activities, resource access, and also information based on

Windows system’s audit policies . Security event log can help identify attempted or successful

unauthorized activities on a Windows system or network. Application event log is the type of event

log that records events related to applications running on a Windows system, such as errors,

warnings, or information messages. Setup event log is the type of event log that records events

related to the installation or removal of software or hardware components on a Windows system.

System event log is the type of event log that records events related to the operation of a Windows

system or its components, such as drivers, services, processes, etc.

Cookies are the computer-created evidence retrieved by Desmond in this scenario. Cookies are small

files that are stored on a user’s computer by a web browser when the user visits a website. Cookies

can contain information such as user p

, login details, browsing history, or tracking data.

Cookies can be used to extract and analyze computer-based evidence to retrieve information related

to websites accessed from the victim machine2. Reference: Cookies

Black-box testing is a type of penetration testing where the tester has no prior knowledge of the

target system or network and initiates zero-knowledge attacks, with no information or assistance

from the organization. Black-box testing simulates the perspective of an external attacker who tries

to find and exploit vulnerabilities without any insider information. Black-box testing can help identify

unknown or hidden vulnerabilities that may not be detected by other types of testing. However,

black-box testing can also be time-consuming, costly, and incomplete, as it depends on the tester’s

skills and tools.

Recovery is the IH&R step performed by Edwin in the above scenario. IH&R (Incident Handling and

Response) is a process that involves identifying, analyzing, containing, eradicating, recovering from,

and reporting on security incidents that affect an organization’s network or system. Recovery is the

IH&R step that involves restoring the normal operation of the system or network after eradicating

the incident. Recovery can include reinstating lost data from the backup media, applying patches or

updates, reconfiguring settings, testing functionality, etc. Recovery also involves ensuring that the

backup does not have any traces of malware or compromise . Eradication is the IH&R step that

involves removing all traces of the incident from the system or network, such as malware, backdoors,

compromised files, etc. Incident containment is the IH&R step that involves implementing

appropriate measures to stop the infection from spreading to other organizational assets and to

prevent further damage to the organization. Notification is the IH&R step that involves informing

relevant stakeholders, authorities, or customers about the incident and its impact.

The IP address of the attacker is 10.10.1.16. This can be verified by analyzing the

Windows.events.evtx file using a tool such as Event Viewer or Log Parser. The file contains several

Audit Failure logs with event ID 4625, which indicate failed logon attempts to the system. The logs

show that the source network address of the failed logon attempts is 10.10.1.16, which is the IP

address of the attacker3. The screenshot below shows an example of viewing one of the logs using

Event Viewer4: Reference: Audit Failure Log, [Windows.events.evtx], [Screenshot of Event Viewer

showing Audit Failure log]