Accuracy: 92.3%
Cyber Command: Our remote workforce uses videoconference every day to get things done, but we’ve recently identified a few security issues, help us investigate.
Q1 (5 pts) - How many total records are present in the meeting log?
34610
Q2 (5 pts) - How many unique users are recorded in the meeting log?
241
Q3 (5 pts) - How many unique meetings are recorded in the logs?
9786
Q4 (5 pts) - How many meetings had dial-in users?
4483
Q5 (10 pts) - What is the average number of bytes processed (round to nearest whole number)?
1294192
Q6 (10 pts) - How many unique IPs are recorded in the logs?
605
Q7 (10 pts) - What is the meeting ID with the most number of participants?
1650f334-b2b9-4726-ab38-bd21b30254b9
Q8 (10 pts) - Which date had the most number of calls take place?
2020-09-27
Q9 (15 pts) - Which date had the highest average bytes processed for its calls?
2020-09-20
Q10 (20 pts) - There was an unauthorized user on a call, what’s the meeting ID of that call?
2b4cfbc0-2528-4726-ab38-bd21b30254b9
Q11 (20 pts) - We believe there was an account that was hacked, what is the name of the person that was hacked?
Jeanne Lowe
Q12 (15 pts) - What is the name of the attacker responsible for the breach referenced above?
Alyce Jacobs
First thing I did was insert the log file into Copilot. During a gym exercise, I did this for a log, and it actually worked really good. I was unable to get excel/libreoffice to install on my Kali VM for whatever reason. I then had Copilot generate commands to verify the answers before submitting.
Q1 — Total records
wc -l meeting.json
Q2 — Unique users
grep -o '"participant":"[^"]*"' meeting.json | cut -d'"' -f4 | sort -u | wc -l
Q3 — Unique meetings
grep -o '"meetingID":"[^"]*"' meeting.json | cut -d'"' -f4 | sort -u | wc -l
Q4 — Meetings with dial-in
grep '"device":"Dial-In"' meeting.json | grep -o '"meetingID":"[^"]*"' | cut -d'"' -f4 | sort -u | wc -l
Q5 — Average bytes processed
grep -o '"bytesProcessed":[0-9]*' meeting.json | cut -d':' -f2 | awk '{sum+=$1} END {print int(sum/NR)}'
Q6 — Unique IPs
grep -o '"ip":"[^"]*"' meeting.json | cut -d'"' -f4 | grep -v '^$' | sort -u | wc -l
Q7 — Meeting with most participants
grep -o '"meetingID":"[^"]*"' meeting.json | cut -d'"' -f4 | sort | uniq -c | sort -nr | head -1
Q8 — Busiest date
grep -o '"date":"[^"]*"' meeting.json | cut -d'"' -f4 | cut -c1-10 | sort | uniq -c | sort -nr | head -1
Q9 — Highest average bytes per date
grep -o '"date":"[^"]*"\|"bytesProcessed":[0-9]*' meeting.json \
| paste - - \
| awk -F'"' '{date=substr($4,1,10); bytes=$8; sum[date]+=bytes; count[date]++} END {for (d in sum) print d, int(sum[d]/count[d])}' \
| sort -k2 -nr | head -1
Q10 — Unauthorized user (no spaces in name)
grep -o '"participant":"[^"]*"' meeting.json | cut -d'"' -f4 | grep -v ' ' | sort -u
Then find the meeting ID for the suspicious username lols:
grep 'lols' meeting.json | grep -o '"meetingID":"[^"]*"' | cut -d'"' -f4
Q11 — Hacked user
grep 'Jeanne Lowe' meeting.json
Inspected entries manually and found anomalous login from an unexpected IP.
Q12 — Attacker IP → name
grep '132.12.5.210' meeting.json | grep -o '"participant":"[^"]*"' | cut -d'"' -f4 | sort -u
Answer: Alyce Jacobs