How best to package and communicate Wireshark capture data for use by Law Enforcement? [closed]

asked 2023-07-24 20:57:02 +0000

Hi,

I'm new to all of this and the whole reason I'm here is to get to the bottom of a mysterious "freak" corruption that has infected almost all of my devices, in one way or another, for months. While running Wireshark, approximately 10 - 25 percent is classified as red / black in Expert Info depending on the task. Traffic during Windows updates yield many more warning level packets. I have a lot of unsigned certificates for in my Windows system files, ESET doesn't recognize many of my stock system files on my computer, along with the other day the icing on the cake, I saw in my Powershell history someone (who was definitely NOT ME) blocking a specific set of debug tools in real time, that I had just installed, as in, someone who wasn't me was remotely executing PowerShell commands to block me from investigating the problems on my computer.

Running Wireshark, Tcpdump, Netstat, etc. I will admit that I don't know what I'm looking at for the most part except the IP addresses I have connections established to (on many many ports that are not 443 or 80) are addresses that have been reported, some of them 5 times, some 20, some 250 times, as being abuser IPs reported for DDoS & CnC.

The most recent attack has been on my Surface's ability to connect to the Microsoft update server packets.

I have a ticket with I3C that I'll be updating but since literally all these attackers are doing is breaking my devices or potentially using my machines as proxies to hurt other people, (no money stolen or ransomware deployed against me) I'm really looking to understand the most effective way to communicate and package my message along with my pcap data effectively so Law Enforcement or my ISPs can act on the information.

Thanks for any help you can provide.

Best,

-A

edit retag flag offensive reopen merge delete

Closed for the following reason question is off-topic or not relevant by grahamb
close date 2023-07-25 09:15:08.911069

Comments

By the way I'm speaking about a personal computer registered to an individual which is (or should be) unlinked to any organization or business.

aschutjer gravatar imageaschutjer ( 2023-07-25 01:14:45 +0000 )edit

It seems you don't own your computer. So basically it should be eithers sealed and hand over over to anyone who knows how to do forensics on it. or simply do a full whipe and start with a new clean slate.

Nothing related to wireshark by the way.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-07-25 06:11:26 +0000 )edit

Thanks for the response and it's totally accurate, I do not own my computer. I've tried the full wipe / factory resets on everything, dozens of times including factory flashing from USBs and all that. I suppose my question was really, "Once you've identified DDoS, CnC, and other malicious and terroristically persistent traffic in Wireshark, what do you actually do with the information if you are an individual?" My apologies for not being on topic and my lack of brevity.

aschutjer gravatar imageaschutjer ( 2023-07-25 14:45:08 +0000 )edit