CND (312-38) Network Defense Simulation
In this simulation, you will analyze how web-based activities leave persistent artifacts on local systems. You will learn to identify where communication traces are stored when users bypass corporate mail servers using public webmail providers.
Network Scenario
DataEnet Inc. utilizes a standard corporate defense-in-depth architecture. While internal mail is handled via an on-premise Exchange server, policy prohibits the use of external webmail providers (Hotmail/Yahoo) to prevent data exfiltration. A suspicious employee is believed to be communicating with a competitor via these unauthorized channels.
As a defender, you are tasked with recovering local artifacts from the employee's workstation to reconstruct their webmail activity sessions.
Traffic & Logs
Firewall Outbound Log Snippet (Egress Filter):
2023-10-24 14:02:11 ALLOW 192.168.1.45 -> 204.79.197.210 TCP/443 (mail.live.com)
2023-10-24 14:05:45 ALLOW 192.168.1.45 -> 98.137.11.163 TCP/443 (mail.yahoo.com)
2023-10-24 14:10:02 ALLOW 192.168.1.45 -> 204.79.197.210 TCP/443 (attachment download)
Analysis: The logs confirm HTTPS sessions to webmail domains. While the traffic is encrypted, the local workstation will store cached fragments of the session for performance and session management.
Question
You work for a professional computer hacking forensic investigator DataEnet Inc. To explore the e-mail information about an employee of the company. The suspect an employee to use the online e-mail systems such as Hotmail or Yahoo. Which of the following folders on the local computer you are going to check to accomplish the task? Each correct answer represents a complete solution. Choose all that apply.
Expert Analysis
1. What is happening in the network
The user is bypassing corporate SMTP/IMAP servers by using web-based HTTP/HTTPS interfaces for email. This creates a "blind spot" for network-based email inspection tools because the traffic is wrapped in TLS.
2. Identify attack or behavior
This is categorized as Unauthorized Use or Policy Violation. From a forensics perspective, web-based activity leaves a significantly different footprint than thick-client email (like Outlook .pst files).
3. Why correct answers (A, B, D) are correct
- Cookies Folder (A): Contains session tokens, user preferences, and tracking IDs that can link a specific workstation user to a specific webmail account.
- Temporary Internet Folder / Cache (B): Browsers store images, CSS, and HTML fragments from the webmail interface (e.g., portions of the inbox or opened emails) to improve performance. These can be reconstructed to view what the user saw.
- History Folder (D): Provides a chronological timeline of URLs visited. This proves the user accessed Hotmail or Yahoo at specific times, often including URL parameters that indicate specific actions (like "compose" or "inbox").
4. Why others are wrong
Download Folder (C): While a user *might* download an attachment, the download folder is not a reliable location for finding "e-mail information" (the content of the messages themselves, metadata, or session details) unless a specific action was taken by the user to save a file. It doesn't inherently store webmail communication traces.
5. Defensive Action
Defenders should implement SSL Inspection (Man-in-the-Middle) on the firewall to inspect webmail traffic in real-time or use Endpoint Detection and Response (EDR) to monitor browser-based file writes in these sensitive directories.
MINI LESSON: Forensic Artifacts
Web browsers serve as the "operating system" for webmail. When investigating, focus on the Browser Artifact Trinity:
- Persistence: Cookies (Who they are).
- Context: History (When they were there).
- Content: Cache/Temp Files (What they saw).
Explore more CND simulations
Go to Practice Tests