Chapter 14 What country is the MAC address of the FTP server registered in?

14.1 Objects in memory/packages loaded from preceding chapters

Objects available:

  • read_zeek_log() — helper function to read Zeek log files (Chapter 3)
  • packets — data frame of PCAP packet data (Chapter 4)
  • conn — Zeek conn.log data (Chapter 5)
  • hoststshark host/IP file (Chapter 8)
  • ftp — Zeek ftp.log data (Chapter 10)

Packages:

  • {jsonlite}
  • {stringi}
  • {glue}
  • {tidyverse}
  • {MACtools} (optional)

14.2 Question Setup

We did say that MAC addresses provide quite a bit of metadata. You can head on over to DeepMac if you want to up-close-and-personal verification of that. In fact, you can use that search page instead of the {MACtools} package (below) if you’re having trouble getting {MACtools} installed or don’t trust R packages from GitHub (which you really shouldn’t).

This is a fine example of using external data sources in forensic analyses.

14.3 Solving the quest with Zeek conn.log, ftp.log, and R

The ftp data frame contains information on the FTP server, so we can use that to get the server IP, then look that up in the conn data frame to get the MAC address. Once we have that, we can use mac_match_registry() or just paste the value into DeepMac.

library(MACtools)

conn %>% 
  filter(
    id.resp_h == unique(ftp$id.resp_h)
  ) %>% 
  distinct(resp_l2_addr) %>% 
  glimpse() %>% 
  pull(resp_l2_addr) %>% 
  mac_match_registry() %>% 
  select(organization_address)
## Rows: 1
## Columns: 1
## $ resp_l2_addr <chr> "08:00:27:a6:1f:86"
## # A tibble: 1 x 1
##   organization_address             
##   <chr>                            
## 1 600 Suffold St Lowell MA US 01854

Another quick win, which is good, because our final quest is at hand!