CyberTactics: Analysis Windows Firewall Logs

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2014-06-06 11:34:01 DROP UDP 75.34.59.126 75.34.59.255 3210 3328 708 - - - - - - - RECEIVE
2014-06-06 11:34:01 DROP UDP 75.34.59.139 75.34.59.255 1040 3328 708 - - - - - - - RECEIVE
2014-06-06 11:34:03 OPEN TCP 75.34.59.183 75.34.101.20 1982 80 - - - - - - - - -
2014-06-06 11:34:03 OPEN TCP 75.34.59.183 75.34.101.20 1983 80 - - - - - - - - -
2014-06-06 11:34:04 CLOSE TCP 75.34.59.183 75.34.101.20 1978 80 - - - - - - - - -
2014-06-06 11:34:04 OPEN TCP 75.34.59.183 75.34.101.20 1984 80 - - - - - - - - -
2014-06-06 11:34:04 CLOSE TCP 75.34.59.183 75.34.101.20 1984 80 - - - - - - - - -
2014-06-06 11:34:05 CLOSE TCP 75.34.59.183 10.130.40.11 1925 389 - - - - - - - - -
2014-06-06 11:34:06 DROP UDP 75.34.59.126 75.34.59.255 3210 3328 708 - - - - - - - RECEIVE
2014-06-06 11:34:06 CLOSE TCP 75.34.59.183 75.34.101.20 1982 80 - - - - - - - - -
2014-06-06 11:34:06 DROP UDP 75.34.59.139 75.34.59.255 1040 3328 708 - - - - - - - RECEIVE
2014-06-06 11:34:07 DROP UDP 75.34.59.224 255.255.255.255 68 67 328 - - - - - - - RECEIVE
2014-06-06 11:34:07 CLOSE TCP 75.34.59.183 75.34.101.20 1983 80 - - - - - - - - -

2014-06-06 11:34:03 OPEN TCP 75.34.59.183 75.34.101.20 1982 80 - - - - - - - - -

*************************************

What does this tell you?

How can this be helpful to an investigation?

2014-06-06 11:34:03 OPEN TCP 75.34.59.183 75.34.101.20 1982 80 - - - - - - - - -

date - 2014-06-06
time - 11:34:03
action - OPEN
protocol - TCP
src-ip - 75.34.59.183
dst-ip - 75.34.101.20
src-port - 1982
dst-port - 80
size - -
tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2014-06-08 07:34:29 OPEN TCP 48.28.28.182 48.28.28.195 1057 139 - - - - - - - - -

2014-06-08 07:34:29 OPEN TCP 48.28.28.182 48.28.28.195 1058 445 - - - - - - -

From the logs, it can be determined that the intruder IP “48.28.28.182” opened and established a TPC session with “48.28.28.195” over ports 139 and 445. This is commonly known as a “mapped network drive”

2014-06-08 08:01:43 CLOSE TCP 5.1.2.139 216.239.51.104 1476 80 - - - - - - - - -
2014-06-08 08:01:43 OPEN TCP 5.1.2.139 216.239.51.104 1478 80 - - - - - - - - -
2014-06-08 08:01:44 OPEN TCP 5.1.2.139 10.130.70.61 1479 443 - - - - - - - - -
2014-06-08 08:02:02 OPEN TCP 5.1.2.139 72.14.209.176 1480 80 - - - - - - - - -
2014-06-08 08:02:02 OPEN TCP 5.1.2.139 72.14.209.176 1481 80 - - - - - - - - -
2014-06-08 08:02:04 CLOSE TCP 5.1.2.139 64.233.169.103 1466 80 - - - - - - - - -
2014-06-08 08:02:05 CLOSE TCP 5.1.2.139 10.130.70.61 1479 443 - - - - - - - - -
2014-06-08 08:02:10 CLOSE UDP 5.1.2.139 12.127.16.68 1025 53 - - - - - - - - -
2014-06-08 08:02:15 CLOSE TCP 5.1.2.139 72.14.209.176 1480 80 - - - - - - - - -
2014-06-08 08:02:15 CLOSE TCP 5.1.2.139 72.14.209.176 1481 80 - - - - - - - - -
2014-06-08 08:02:24 OPEN TCP 5.1.2.139 64.233.169.103 1482 80 - - - - - - - - -
2014-06-08 08:02:24 OPEN TCP 5.1.2.139 72.14.209.176 1483 80 - - - - - - - - -
2014-06-08 08:02:35 CLOSE TCP 5.1.2.139 72.14.209.176 1483 80 - - - - - - - - -
2014-06-08 08:02:37 OPEN TCP 5.1.2.139 72.14.209.176 1484 80 - - - - - - - - -
2014-06-08 08:02:37 OPEN TCP 5.1.2.139 72.14.209.176 1485 80 - - - - - - - - -
2014-06-08 08:02:42 OPEN UDP 5.1.2.139 12.127.16.68 1025 53 - - - - - - - - -
2014-06-08 08:02:42 OPEN TCP 5.1.2.139 208.65.153.253 1486 80 - - - - - - - - -