The included incident response log contains the output of all IR commands/tools run by an incident responder on the referenced date on an allegedly compromised machine. No further information has been provided about this machine. Your job is to answer the standard investigative questions below to the best of your ability. Where you are able to answer the question, provide the answer and clearly indicate the command/tool output from which the answer was obtained. Where you were unable to answer the question with the data provided, indicate what command or tool you would have run (complete with switches) to obtain that information had you been conducting the IR on the live machine. ALSO - Since this is the log from incident response, it is important to differentiate between the actions of the intruder(s) vs. the incident responder. Hypothesize between "good guy" vs "bad guy" forensic artifacts. (This will help you see why it is so important to carefully document your incident response activity. It is not unusual to be analyzing someone else's IR output, nor is it unusual to be re-analyzing your own IR output after significant time has passed, making it important to be able to distinguish between "good guy" and "bad guy" activity on a victim machine.) This can either be written up in paragraph form at the end, or indicated individually with each answered investigative question. QUESTIONS 1. Provide basic system and environment information. a. OS version \& kernel build number b. Patch level \& Hotfix(es) installed c. IP address of the system being analyzed d. IP address assignment method \& DHCP server IP if applicable e. MAC address f. Default gateway g. DNS server(s) h. Computer/NetBIOS name i. Physical/virtual memory info (sizes/location of virtual memory) j. Domain k. Logon server 1. NICS (number/type) m. Are any NICS currently running in promiscuous mode? n. How long has the system been up (running)? 2. Are there any suspicious connections? If so, what are the source IP(s) ? 3. Are there any suspicious ports open? a. What process do you believe is running on that port? b. What is its PID? c. What executable spawned the process (full path, file name, hash, VirusTotal analysis as deemed applicable)? d. What account spawned the process? e. What command line switches were set when executed? f. What child processes has the suspicious process spawned? g. What are the dependencies for the process(es)? 4. Are there any suspicious processes or services? a. Provide the same info as above for ports, as applicable. b. For suspicious services, what is the current state (running/stopped)? c. For suspicious services, what is the autostart configuration? d. Have any critical services been stopped? 5. What network shares are mapped? (suspicious or not) 6. Are there any suspicious NetBIOS sessions (current or cached)? 7. Are there any suspicious DNS queries? 8. Are there any suspicious routes set-up in the route table? 9. Are there any suspicious user accounts? a. What users are currently logged in? Local or remote? b. Provide basic user account information for any suspicious accounts ( d/t ereated, d/t last logged in, number of suceessful logins, number of failed logins, password last changed date, password set to expire, RID, enable/disable status). c. Are there any particularly weak accounts (i.e. no password set)? 10. Are there any suspicious/conceming files opened? EVIDENCE FILES REQUIRED SOFTWARE