Lesson Notes
Incident Response & Forensics
Module 7: Advanced Topics & Career. Decrypting evidence (e.g. Wireshark TLS keys).
Module 7: Incident Response & Forensics — Comprehensive Theory Guide
Incident response (IR) is the structured process of detecting, containing, eradicating, and recovering from security incidents, followed by lessons learned. Forensics is the collection and analysis of evidence—including network traffic. When evidence includes TLS-encrypted traffic (e.g. a PCAP from a breach or a lab capture), you can decrypt it in Wireshark if you have the session keys. Many clients (browsers, OpenSSL when built with the right option) can log the (Pre)-Master-Secret to a file; you load that log in Wireshark and the tool decrypts the TLS streams so you can inspect HTTP or other application data. This lesson explains the IR phases in detail and how to use SSLKEYLOGFILE and Wireshark for TLS decryption in lab forensics. Use decryption only when you have legal authority or ownership of the keys (e.g. your own lab capture).
IR Phases: Detect, Contain, Eradicate, Recover, Lessons Learned
Detect: identify that an incident has occurred—via alerts (IDS/IPS, EDR, SIEM), user reports, or proactive hunting. Triage and confirm; document the initial scope and timeline. Contain: limit the spread and damage—isolate affected hosts, block malicious IPs or domains, revoke compromised credentials, or take critical systems offline. Containment buys time for investigation and eradication. Eradicate: remove the threat—delete malware, close backdoors, patch vulnerabilities, and reset compromised accounts. Recover: restore systems and services safely—rebuild from known-good backups if needed, restore from clean images, and verify integrity before bringing systems back online. Lessons learned: post-incident review—what happened, what was missed, what to improve (detection, response playbooks, segmentation). Document every phase for legal, compliance, and improvement.
Decrypting TLS in Wireshark: Why and When
TLS encrypts application data; a raw PCAP of HTTPS traffic shows only handshakes and encrypted record layers. To analyze the actual HTTP requests, API calls, or other application data, you need to decrypt. Decryption is possible if you have the session keys (the symmetric keys used for the TLS session). In a lab or when you control the client, you can arrange for the client to write those keys to a file (Pre-Master-Secret or session key log). Wireshark can then use that log to decrypt the corresponding TLS streams. Use cases: debugging TLS in development, analyzing your own traffic in a lab, or forensics when you have lawful access to the keys (e.g. from the server or from a cooperating client). Do not decrypt traffic you are not authorized to access.
Using SSLKEYLOGFILE and Wireshark
Many TLS clients support logging the (Pre)-Master-Secret for debugging. Set the environment variable SSLKEYLOGFILE to a file path (e.g. export SSLKEYLOGFILE=/tmp/keys.log on Linux). When the browser or OpenSSL client performs a TLS handshake, it appends the session keys to that file. In Wireshark: Edit → Preferences → Protocols → TLS → (Pre)-Master-Secret log filename; set it to the same file. Load your PCAP (or start a capture); Wireshark will decrypt any TLS stream whose keys are in the log. You can then inspect HTTP, cookies, and other application data. Restrict the key log file to your lab and do not use it for traffic you are not authorized to decrypt.
Key Takeaway for Lesson 24
IR follows detect, contain, eradicate, recover, and lessons learned. Forensics can include decrypting TLS in Wireshark when session keys are available (SSLKEYLOGFILE). Use this in a lab to analyze encrypted traffic; only decrypt when you have authority over the keys. Next: career paths and next steps.