Lab Instructions
Incident Response & Forensics
Follow these written lab steps in order. Run one command at a time and verify output before moving on.
Lab objective
Module 7: Incident Response & Forensics. Decrypting evidence: use Wireshark with TLS session keys (e.g. from SSLKEYLOGFILE) to decrypt captured HTTPS traffic in a lab.
Command
N/AExpected result: You can load TLS keys into Wireshark and view decrypted HTTPS payloads for forensic analysis.
Step 1 - Capture TLS traffic with key log
Set the environment variable SSLKEYLOGFILE to a file path (e.g. /tmp/tls-keys.log). Launch a browser (or OpenSSL client) that supports this; browse to an HTTPS site so a TLS session is created. The client will write (Pre)-Master-Secret log entries to the file. Capture the same traffic in Wireshark (on loopback or your interface).
Command
export SSLKEYLOGFILE=/tmp/tls-keys.log # then browse HTTPS in supported browserExpected result: tls-keys.log contains key log lines; Wireshark has a capture of the HTTPS session.
Step 2 - Load keys in Wireshark
In Wireshark: Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename → set to your SSLKEYLOGFILE path. Open or reload the capture. Wireshark will decrypt TLS application data; expand a TLS packet and you should see decrypted payload (e.g. HTTP).
Command
Wireshark: Preferences → TLS → set (Pre)-Master-Secret log filename → reload captureExpected result: TLS packets show decrypted application data (e.g. HTTP request/response).
Step 3 - Reflect on forensics use
In real IR/forensics, key logs may come from the client or server when legally available. Document: when would you use this (e.g. analyzing a suspected compromise where you have the keys)? Always use only in authorized, lawful investigations.
Command
N/AExpected result: You can explain when decrypting evidence with Wireshark TLS keys is appropriate and lawful.