Solution to the Demo Game
Mass Copy
TheFinn is mass copying files from the servers in the datacenter, in preparation for burning them to a cd and walking out the door with everything.
This level of activity can be spotted right away; to make it stand out even more, click your mouse near one of the sysadmins and then use the 'i' and 'o' keys to cycle through all the sysadmin paths. You will be able to see all the file transfers TheFinn is running on the servers, highlighted in blue.
Trickle Exfiltration
Case is slowly sending pieces of critical data out to a server on the Internet, by periodically sending small packets designed to look like dns requests.
This one is much harder to find. One way is to notice a very small blip periodically travelling down one of Case's paths; if you highlight the blip you can readily see that it is UDP and involved communication with an "external" address. To find it definitively, you could filter out the communication types that all the sysadmins are conducting, using these steps:
- hit the 'q' key to open the commandline
- enter "filter from grp.sys|*|*|httpd to *|*|*|*"
- enter "filter from grp.sys|*|*|nfs to *|*|*|*"
- enter "filter from grp.sys|*|*|sshd to *|*|*|*"
Now the only sysadmin traffic remaining is this weird udp traffic.