The 2018 NCAC challenge is primarily a text data challenge so very few tools will be required. Please see the List of Tools document provided to each school with the data.
Q: On slide 3 we are supposed to determine what company process/procedures failed. We weren’t able to find any company processes or procedures to compare against. Is this intentional?
A: It is intentional. The requirement is to broadly think about which corporate policies were either nonexistent or were violated by the would be user
Q: Appendix C has an image of a folder structure. Is the image on Appendix C the actual hidden folder structure, or is this just ‘artwork’ for the slide?
A: The hidden folder structure should be viewed as just art work. It is not a visual representation of any artifacts created during Phase 1.
Q: We found inconsistencies in the scenario where communication is occurring between two hosts in different networks, yet there is no drop in the IP packet TTL values. Should we be trying to account for these abnormal TTL values? If so, we would have to attribute this to an insider threat of some other anomaly.
A: Ruling that out or keeping it in play should be up to each team. If they can attribute that behavior to malicious activity or inconsistencies on the network then they should rely on the data to make that decision.
Q: There is a fair amount of PCAP traffic up through Dec. 28 which seems extremely unusual (including multiple accesses to the address http://chasesupport:80/ followed by
“ipconfig /flushdns” commands). Since it was included in the PCAP, should we consider this traffic to be part of the scenario, or is it to be ignored?
A: All information provided to you should be examined and considered as a part of the scenario.
Q: The scenario states that the IT department sent an email asking users to save and close documents for an emergency patch to be deployed in response to a recently announced vulnerability. Is that email and the related user activity included in the artifacts we have?
A: That email is not included in the artifacts you have. All forensic images you have were taken offline before the IT department sent that notification to all users.
Q: Related to above: there is an email from chasesupport telling users to apply an emergency patch. Is this the “IT department” email regarding patching, or is this a different email separate from the scenario IT email regarding the emergency patch?
A: That should be determined by you.
Q: Should SSH communication between the “ForensicWorkstation” and “SIFTworkstation” be considered part of “scenarioadmin’s” activity?
A: Yes, it should.