1. What was the user account name of the FTP client on the FTP server and which was its IP address?
The FTP account name is: Badguy. FTP server’s IP:172.16.177.157

2. How many emails did the alleged offender sent to his partner before downloading the implicated file? Which are the two email addresses involved?

The alleged offender sent 3 emails before downloading the file. The email address involved were: badguy11111@gawab.com and b603358@borthew.com

3. As a forensics investigator, would you be able to playback an entire TCP session if it is requested under trial?

Yes, Netwitness investigator allows a forensics investigator to playback an entire TCP session previously capture.

4. What time did the alleged offender choose to perform the actions? Why do you think this is particularly important? Where did you get this information from?

After reviewing the entire packet capture we notice that download occurred around 4:00am. This is particularly important since directly to “system usage” outside regular hours of operations.

5. What is the name of the “local user” account involved in the alleged actions? Which was the IP address of the alleged offender workstation?

The local administrator account was the one involved. The IP address of the client FTP client was: 172.16.177.132

6. How many attempts to access the FTP server did you find during the packet capture analysis? Why is this important for your case?

Two attempts to access the FTP server were found. A lower rate of attempts, followed by a successful log on usually means the user has the password for the account. Several attempts could point towards a brute force attack.

7. What was the password of the FTP client account used to perform the alleged actions? How were you able to obtain the password?
“You will never get this!!”. FTP traffic travels in clear txt, thus, making it easy