Project 03 · Week 4 of 9 · Days 07 & 08

Analyzing Email Headers
& Tracing Attacks

A five-hour hands-on incident-management lab. You will follow a single suspect message from a victim's inbox down to the network it likely came from, learn to read raw email headers the way a Tier-1 SOC analyst reads them, run the same email through public routing-analysis tools, safely triage URLs and attachments without ever clicking, and write a short report an incident commander could actually act on.

5 hours of hands-on work Ponderation 2-3-3 Max 5-page A4 PDF report Course: Incident Management — IH&R Late: −1 pt per 24 h block

Read this first

What this lab is — and what it isn't

This work is sized for five hours of effort, not five hours of clock time. People work at different speeds, and that is fine. If you finish in four, congratulations. If it takes you six because you got curious and chased a Received header back to a hosting provider in Sofia, even better — that is exactly the kind of curiosity I want you developing.

What this lab is not: a copy-paste tour of MXToolbox screens. If your final report consists of three screenshots and a sentence each, you have misunderstood the assignment and you will be marked accordingly.

You will produce

One PDF report, maximum 5 A4 body pages
Original screenshots, captioned and numbered
A routing diagram (hand-drawn or digital — both accepted)
A reusable header reference card

You will not

Click suspect URLs in your live browser
Open any attachment by double-clicking
Use AI tools to write the words in your report
Borrow screenshots from blogs, YouTube, or LinkedIn
Overclaim attribution beyond your evidence

Time budget

Suggested split — be honest with yourself about pace, and adjust:

Section	Topic	Approx. duration
Part A	Header anatomy & the four anchor fields	≈ 60 min
Part B	Routing analysis & spoof detection	≈ 110 min
Part C	Safe URL/attachment triage & end-to-end tracing	≈ 120 min
Plus the report write-up (if you've been taking notes as you went)		30–45 min
Pre-lab setup	Not counted in the five hours	≈ 30 min

Ponderation — how the grading splits

This lab uses the 2-3-3 ponderation scheme across three exercises. Total weight is 8 units; each unit is one ponderation point.

Section	Topic	Weight	% of grade
Part A	Header anatomy — read & explain the four anchor fields	2	25 %
Part B	Routing analysis with public tools + spoof detection	3	37.5 %
Part C	Safe triage of URLs & attachments + end-to-end tracing	3	37.5 %
Total		8	100 %

Read the rubric (see further down) before you start writing — it tells you what graders look for.

Pre-lab setup · ≈ 30 min · not counted in the 5 hours

Set up your workspace before the timer starts

Spend roughly thirty minutes getting your environment ready. None of this counts toward the five hours. Doing it well saves you grief later.

Every tool below is open and replaceable

The list is what I have used in production work, but every one of these has at least three credible alternatives. You are encouraged — actively expected — to research substitutes, try them out, and tell me in your report which tool you preferred and why. Bonus points for finding something I have not heard of.

Workspace folder structure

Create this on your machine. You will fill it as you go.

project_03_email_headers/ ├── 00_inputs/ (the three header dumps from this brief, copied as .eml) ├── 01_part_a/ (your annotated header reference card) ├── 02_part_b/ (tool screenshots, comparison tables) ├── 03_part_c/ (URL triage notes, sandbox screenshots, trace diagram) ├── 04_screenshots/ (clean, captioned PNG files for the report) └── 05_report/ (your 5-page A4 PDF goes here)

A note on safety before you touch anything

Some of the techniques below are close enough to real-world incident response that misusing them on infrastructure you don't own is illegal in Spain (Law 1/2019 transposing EU Directive 2016/1148) and in most jurisdictions you might happen to be in. Do not click suspect links in your live browser. Do not double-click attachments. Do not run executables from unknown senders. If you accidentally infect your own machine — and it does happen, especially during the attachment exercise — disconnect from the network, write down what you were doing, and tell me. You will not lose points for an honest accident reported promptly. You will lose points for hiding it.

A×2

Exercise 1 of 3 · weight 2 of 8 · ≈ 60 minutes

Header anatomy: the four anchor fields

From Received X-Originating-IP Message-ID + Reply-To

Every email carries a long block of text called a header. Most users never see it. Most analysts spend the first three minutes of every email investigation reading exactly four fields out of it. You are going to learn what those four fields say, what they mean, what attackers can change in them, and what they cannot. Then you will build yourself a one-page reference card you can use for the rest of your career.

A.1 Open the sample header and find the fields ≈ 20 min

Below is a header dump from a real-looking email. Copy it into a plain-text file called sample_a1_clean.eml inside 00_inputs/. Do not edit it. The names and IPs are fictional but plausible — this email purports to be a routine invoice from a glass supplier in Madrid to an architecture studio.

sample_a1_clean.eml · legitimate invoice from a Madrid supplier

Return-Path: <facturacion@vidriosmadrid.es>
Delivered-To: maria.lopez@arch-studio-madrid.com
Received: from mx2.arch-studio-madrid.com (mx2.arch-studio-madrid.com [185.42.18.91])
        by inbox.arch-studio-madrid.com (Postfix) with ESMTPS id 4F2B7C0291
        for <maria.lopez@arch-studio-madrid.com>; Wed, 13 May 2026 10:18:42 +0200 (CEST)
Received: from mail.vidriosmadrid.es (mail.vidriosmadrid.es [212.106.221.44])
        by mx2.arch-studio-madrid.com (Postfix) with ESMTPS id 9D8A1B14A2
        for <maria.lopez@arch-studio-madrid.com>; Wed, 13 May 2026 10:18:39 +0200 (CEST)
Received: from desktop-cristina.vidriosmadrid.local (unknown [10.0.4.117])
        by mail.vidriosmadrid.es (Postfix) with ESMTPSA id 71C220E883
        for <maria.lopez@arch-studio-madrid.com>; Wed, 13 May 2026 10:18:36 +0200 (CEST)
Authentication-Results: mx2.arch-studio-madrid.com;
        spf=pass (sender IP is 212.106.221.44) smtp.mailfrom=vidriosmadrid.es;
        dkim=pass (signature was verified) header.d=vidriosmadrid.es;
        dmarc=pass action=none header.from=vidriosmadrid.es
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vidriosmadrid.es;
        s=selector1; h=From:To:Subject:Date:Message-ID;
        bh=Hf3O4bMVmJ8kQpNyTw0xZcB6r4lkTqu6Nn1Dq1eXvSk=;
        b=Q9zKfPb...truncated for the lab...
From: "Cristina Aguirre — Vidrios Madrid" <facturacion@vidriosmadrid.es>
To: "María López" <maria.lopez@arch-studio-madrid.com>
Subject: Factura mayo 2026 — proyecto Castellana 200
Date: Wed, 13 May 2026 10:18:32 +0200
Message-ID: <20260513081832.71C220E883@mail.vidriosmadrid.es>
X-Originating-IP: [10.0.4.117]
X-Mailer: Mozilla Thunderbird 115.10.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_4827_1894473092.1715591912"

Now answer the following, in your own words, in a Markdown file called a1_field_walkthrough.md. Do not quote the header back at me — paraphrase. If you copy text directly from the dump or from a website, your work will trip plagiarism filters and the section is worth zero.

From — Who claims to have sent the message? What can the recipient see at a glance? What can an attacker change in this field with no tooling at all?
Received — There are three Received: lines. Which was added first chronologically? Which was added last? Explain. (Hint: read RFC 5321 §4.4.)
X-Originating-IP — What does this field represent in this specific dump? What is the practical limit of trusting it?
Message-ID — What is its formal purpose per RFC 5322 §3.6.4? Why might two emails with identical Message-IDs raise an immediate red flag in a SOC?

Aim for two short paragraphs per field. Roughly 120–180 words per field. Plain English, your voice.

A.2 Build your reference card ≈ 25 min

Create a one-page Markdown table that you can keep on your phone or print and stick to your monitor. The table should cover the four anchor fields plus a fifth, Reply-To, which is one of the single most-abused fields in modern phishing.

Required columns:

Field	What it answers	Who writes it	Can an attacker forge it?	First-line analyst question
Fill in five rows: From · Received · X-Originating-IP · Message-ID · Reply-To

Save the file as a2_reference_card.md. This card will be referenced from your final report; keep it concise and high-signal.

5 rows filled (From · Received · X-Originating-IP · Message-ID · Reply-To)
Concise — fits on one printed A4 page
Saved to 01_part_a/a2_reference_card.md

A.3 Spot the inconsistency ≈ 15 min

Below is a second dump, sample_a3_inconsistency.eml. Copy it into 00_inputs/. Find the field that contradicts another field, and write one paragraph (no more than 120 words) describing the inconsistency in plain language. You should not need any tool yet — just your eyes and the reference card you just built.

sample_a3_inconsistency.eml · Banco Santander look-alike spoof

Return-Path: <noreply@actualizacion-banco.top>
Delivered-To: pedro.garcia@logistica-vallecas.com
Received: from mail37.actualizacion-banco.top (mail37.actualizacion-banco.top [89.47.114.211])
        by mx.logistica-vallecas.com (Postfix) with ESMTP id 8AE910DE2C
        for <pedro.garcia@logistica-vallecas.com>; Thu, 14 May 2026 08:11:14 +0200 (CEST)
Authentication-Results: mx.logistica-vallecas.com;
        spf=fail (sender IP is 89.47.114.211) smtp.mailfrom=actualizacion-banco.top;
        dkim=none;
        dmarc=fail action=quarantine header.from=santander.es
From: "Banco Santander — Seguridad" <seguridad@santander.es>
Reply-To: verificar@actualizacion-banco.top
To: "Pedro García" <pedro.garcia@logistica-vallecas.com>
Subject: Aviso urgente — Verifique sus credenciales en 24 horas
Date: Thu, 14 May 2026 08:11:10 +0200
Message-ID: <20260514061110.contacto@actualizacion-banco.top>
X-Originating-IP: [89.47.114.211]

Identified the field(s) that disagree across the header
Written paragraph (≤ 120 words) saved as a3_inconsistency.md

Part A deliverables for the report

One short subsection (about half a page) summarising what the four anchor fields tell you and what they don't · the reference card from A.2 inserted as a clean table · the inconsistency paragraph from A.3 as the bridge into Part B. No screenshots needed for Part A — this is text-only work.

B×3

Exercise 2 of 3 · weight 3 of 8 · ≈ 110 minutes

Routing analysis & spoof detection

Tool 1: header analyzer Tool 2: different analyzer Side-by-side comparison Direct DNS lookup

Reading a header by eye gets you about sixty percent of the way to a verdict. The rest is for tools. Tools turn a forty-line text wall into a routing diagram, flag the IPs that have known abuse history, and tell you whether the apparent sender domain has SPF/DKIM/DMARC deployed in a way that should have caught the spoof. In Part B you will run the same email through two different tools, compare what they tell you, and then go a level deeper by querying the sender domain's authentication records yourself.

You will work with two messages: the clean one from Step A.1, and the suspicious one from Step A.3. Yes, you will analyse the same headers a second time — this time with tooling. The point is for you to feel the difference between manual reading and tool-assisted reading, and to develop an instinct for when each is enough.

B.1 Trace the clean message through MXToolbox ≈ 25 min

Open MXToolbox Email Header Analyzer in a private/incognito window — habit worth building, limits cross-session tracking when pasting metadata into third-party services.
Paste the full header from sample_a1_clean.eml. Leave the body out — only the header matters and the body could contain malicious markup.
Screenshot the full results pane (routing diagram + authentication summary) as b1_mxtoolbox_clean.png in 04_screenshots/.
Write ≈ 200-word analysis as b1_clean_analysis.md covering hop count, longest delay, SPF/DKIM/DMARC alignment, originating server geolocation.

What "alignment" means in DMARC

See dmarc.org for a non-vendor explanation. Be sceptical about IP geolocation — accurate for hosting providers, roughly accurate for residential ISPs, but it lies for VPNs and cloud services.

B.2 Trace the suspicious message through a different tool ≈ 25 min

Deliberately use a different tool from B.1. The two most common alternatives are Google Admin Toolbox — Messageheader and Microsoft's Message Header Analyzer. Pick one. If you find a fourth tool you prefer, tell me about it in your report and use it — that earns research credit.

Paste the header from sample_a3_inconsistency.eml. Screenshot results as b2_<toolname>_suspicious.png.
Write ≈ 200-word analysis as b2_suspicious_analysis.md.

Address these in your write-up:

What did the tool flag that you might have missed reading the header by eye?
The From, Return-Path, and Reply-To all disagree. Why does that disagreement, on its own, not automatically prove the email is malicious — even though it strongly suggests it?
The Authentication-Results line shows dmarc=fail action=quarantine. Translate that into plain English for a non-technical person — say, the recipient's office manager who is going to ask you "so is it dangerous or not?"

B.3 Side-by-side comparison ≈ 20 min

Build a comparison table called b3_comparison.md. Three columns: What the tool checks, Tool 1 result on clean message, Tool 2 result on suspicious message.

At minimum, populate these rows:

What the tool checks	Tool 1 (clean)	Tool 2 (suspicious)
Number of routing hops detected	— fill in —
Originating IP identified	—
IP reputation flag (clean / suspicious / known-bad)	—
SPF result	—
DKIM result	—
DMARC result	—
Domain age of sender domain	—
Final verdict the tool offered, if any	—

Use whois.domaintools.com or any equivalent for the domain age — domains less than thirty days old are themselves a risk indicator.

B.4 Authentication record lookup — direct DNS query ≈ 25 min

The suspicious email purported to come from santander.es. The tools told you DMARC failed because the actual sending IP was not authorised by Santander's SPF record. Now verify that yourself, directly from public DNS, without relying on the tool.

Pick any of the following — substitute freely:

dig

Linux / macOS

Resolve-DnsName

PowerShell / Windows

MXToolbox SuperTool

Web · TXT / DMARC lookups

DNS Checker

Web · multi-region

For the domain `santander.es`, capture three things

SPF record (DNS TXT record starting with v=spf1) — screenshot as b4_spf_santander.png. Read it: does it list 89.47.114.211 as authorised? It should not.
DMARC record at _dmarc.santander.es — screenshot as b4_dmarc_santander.png. Note the policy verbatim: none, quarantine, or reject.
At least one DKIM selector at <selector>._domainkey.santander.es. Try selector1, selector2, default, google, s1, mail. If none return — document that fact and explain why.
Write ≈ 250-word analysis as b4_auth_records.md.

The honest "I tried five selectors, none returned" answer is worth full credit. A fabricated record is worth zero.

DKIM selectors are not always discoverable without seeing a real sent message first. That is normal. Document what you tried and what came back.

Address these in your write-up:

What does Santander's published DMARC policy tell you about how seriously they take spoofing of their domain?
If their policy is p=quarantine or p=reject, why did the suspicious email still land in the user's inbox? Plot twist: the receiving server did mark it dmarc=fail. Whether it then spam-foldered or delivered the message depends on the recipient's mail server configuration, not on Santander's published policy. This nuance is worth understanding.
What practical advice would you give a small Madrid business that ships invoices through a generic shared-hosting SMTP server about adopting SPF/DKIM/DMARC?

Part B deliverables for the report

A subsection of about 1½ pages · two screenshots (one tool from B.1/B.2 — pick the most informative) · the comparison table from B.3 · two paragraphs on the SPF/DKIM/DMARC findings from B.4 · one screenshot of the SPF lookup from B.4 (single most-cited piece of evidence in spoofing reports).

Tip: graders prefer annotated screenshots (red boxes around relevant lines + short captions) over raw screenshots. Annotation tools that work fine: macOS Markup, Windows Snip & Sketch, Greenshot, or Flameshot.

Deliverable

The 5-page A4 research report

You will submit a single PDF, no more than five pages of A4 content (cover page and appendix do not count toward the five-page limit). Structure your report exactly like this — graders read in this order, and reports that follow the order grade better.

Required sections, in order

#	Section	Length	Notes
—	Cover page	separate	Title, name + ID, date, course, body word count
1	Executive summary	½ page (body p.1)	3–4 sentences + one verdict line + one recommended next action
2	Methodology	½ page (p.1)	Tools used + why over alternatives + ethical considerations observed
3	Findings — Part A	½ page (p.2)	Reference card · 2 sentences per anchor field · the inconsistency observation
4	Findings — Part B	1½ pages (p.2-3)	Comparison table · 2 annotated screenshots · plain-English explanation · SMB advice
5	Findings — Part C	2 pages (p.4-5)	Routing diagram (centrepiece) · routing table · URL triage · attachment hash + verdict · origin writeup · attribution caveats
6	Conclusions & recommendations	½ page (p.5)	3–5 bullet points · 1 technical + 1 organisational at minimum
7	References	end of body or appendix	Numbered, clickable, RFCs, tools, every citation
—	Appendix	separate	Full screenshots, raw notes — does not count toward 5

Screenshot rules

Your own screenshots only. Borrowed images = work returned for revision and graded as late.
Annotated with red boxes around relevant lines + 1-sentence captions.
Legible. Minimum 1024 × 768; native screen resolution preferred.
Cropped honestly. Do not hide relevant fields.
Numbered. "Figure 3 — VirusTotal community score for the suspect URL." Reference figure numbers in body text.

Hyperlink rules

Every URL clickable in the exported PDF. Verify after export.
Style links clearly visible: blue, underlined, or visually distinct from body text. Black non-underlined text is not acceptable.
Link target must match visible text — do not put https://innocent.com as the visible text linking to https://harvest.top. Yes, that's exactly the trick we just analysed in Part C. Don't be the trick.

Image & IP rules

Any image not your own = clearly attributed in References. Free-licence sources OK: Wikimedia Commons, Unsplash, Pexels — observe each licence.
Logos belong to their owners. Better practice for this lab: do not reproduce real corporate logos at all.
RFC short factual quotes are fine; include RFC number + section. Block quotes > 3 sentences should be paraphrased.
No AI-generated text in the report. Brainstorming with AI is fine; the words must be yours.

On plagiarism

If you find yourself in a hurry and tempted to copy a paragraph from a Medium post or vendor blog — don't. Plagiarism scanners are very good at finding lifted text from the public web. The two-minute time saving is not worth the academic conduct hearing. If you genuinely need to quote someone, quote in quotation marks, attribute inline (e.g. Verizon DBIR, 2025, p. 14), and list in References. Stitching together half-a-dozen "borrowed" paragraphs is not.

Grading

Per-section rubric

Each section is scored on a 0–10 scale, then weighted by the 2-3-3 ponderation. Read this before you start writing.

Part A · ×2 Header anatomy

Criterion	Points
Four-field walkthrough is in your own words and substantively correct	4
Reference card is complete, accurate, and usable as a job aid	3
Inconsistency in A.3 is correctly identified and explained	2
Markdown formatting is clean and professional	1
Total	10

Part B · ×3 Routing analysis

Criterion	Points
Both tools were used and the screenshots are clear, legible, annotated	3
Comparison table is complete and the differences are correctly interpreted	2
Plain-English explanation for non-technical audience is genuinely accessible	2
SPF/DMARC lookup is direct and the results are correctly explained	2
Practical advice for a Madrid SMB (Small/Medium Business) is concrete	1
Total	10

Part C · ×3 Safe triage & tracing

Criterion	Points
URLs were defanged before pasting anywhere; safe-handling discipline visible throughout	1
URL triage uses at least three independent sources (VirusTotal + urlscan.io + Talos or equivalent)	2
Attachment was triaged via hash lookup before upload, and the workflow is documented	1
Routing table is correct and complete	2
Routing diagram visibly communicates the four hops and the origin	2
Attribution caveats are honest and specific — overclaiming loses 2 points here	2
Total	10

Final grade calculation

final = ( A × 2 + B × 3 + C × 3 ) / 8

Example: 9 in A, 7 in B, 8 in C → (18 + 21 + 24) / 8 = 7.875 ≈ 7.9 / 10

Late penalty

−1 pt / 24 h

Forward context

Your full nine-week project portfolio

This lab is Project 03 in a series of nine. By the end of the course you will submit a portfolio combining all nine. Each project is structured the same way: a hands-on lab tied to the Class 2 topic of the corresponding week.

#	Week	Project topic
01	2	Securing Crime Scenes & Collecting Digital Evidence
02	3	Malware Detection, Analysis & Containment
03	4	Analyzing Email Headers & Tracing Attacks ← you are here
04	5	Mid-Term Review (consolidation, not a new project)
05	6	Mid-Term Examination (project artefact submitted)
06	7	Network Traffic Analysis & Incident Validation
07	8	Detecting & Eradicating Insider Activity
08	9	Mobile & IoT (Internet of Things) Forensics and Analysis
09	10	Final Examination — full portfolio defence

The skills you build in Project 03 are foundational for Project 06 (network traffic analysis applies the same routing-trace logic to whole packet flows) and for Project 07 (insider activity often shows up first in unusual outbound email patterns). Take this work seriously. The investment compounds.

Reference

Hyperlinks compendium

Every external resource referenced in this brief, gathered for easy bookmarking. Hyperlinks here are clearly visible — your final report should follow the same convention.

● Standards, RFCs, and authoritative bodies

● Header analysis tools

● URL, file, and IP reputation

● Domain investigation

● Diagram & screenshot tools

● Free-licence image sources

● Industry annual reports

Read in full

Disclaimer

Applies to every Cyber.SoHo educational deliverable, including this lab and every artefact you produce as part of it.

On intellectual property

All Cyber.SoHo Educational Hub materials — this lab brief, accompanying lecture notes, sample headers, code artefacts, slide decks, and any derivative works — are the sole intellectual property of Cyber.SoHo. Cyber.SoHo is the only creator and owner of these educational materials. Reproduction, redistribution, or republication of these materials in whole or in part, in any medium, without the prior written consent of Cyber.SoHo, is prohibited.

These materials are produced and delivered independently. Cyber.SoHo Educational Hub is not affiliated with any other organisation, vendor, person, fictional entity, or institution referenced in this lab.

All third-party trademarks, service marks, names, and logos referenced — including but not limited to Microsoft, Google, GitHub, Mailgun, MXToolbox, VirusTotal, urlscan.io, Cisco Talos, AbuseIPDB, Banco Santander, INCIBE, Europol, IETF, NIST, and any others mentioned — belong to their respective owners. Their inclusion is for educational reference only and does not imply endorsement, partnership, or any commercial relationship.

On the tools and techniques used in this lab

The tools listed in pre-lab setup and throughout the exercises are open — meaning they are publicly accessible, free or freemium, and replaceable. You are encouraged to research, evaluate, and substitute alternatives wherever you find a tool you prefer or one that fits your workflow better. Reporting on alternative tools you have found and tested earns research credit in your final write-up.

You are also actively encouraged to build your own tools — a Python script that automates parts of the workflow, a small command-line utility that wraps dig queries, a browser bookmark that defangs a URL on the clipboard. Tooling fluency is the single largest separator between an entry-level analyst and a senior one. Start building yours now.

On the techniques themselves

The techniques taught in this lab — header analysis, routing-trace reconstruction, IP and domain reputation lookup, sandboxed URL and file triage — are the same techniques used by professional incident response teams, by SOC analysts, and unfortunately also by people who use these techniques for purposes that are illegal under Spanish, European Union, and most international law.

These materials are taught for defensive purposes only. Specifically:

The lab teaches you how to recognise, analyse, and respond to attacks directed against an organisation you are authorised to defend.
The lab does not teach, and does not authorise, attacks against any system, network, account, or person you do not have explicit written permission to test.
Public reputation tools (VirusTotal, urlscan.io, AbuseIPDB) are for analysing samples you have lawfully obtained. Submitting a sample of someone else's email or files without their consent may itself be a privacy violation in your jurisdiction.
DNS lookups against public records (SPF, DMARC, WHOIS) are publicly available and lawful in essentially every jurisdiction. The DNS records you query in Part B are intentionally public.

If at any point in your career you find a colleague or a "friend" suggesting these techniques be turned outward against a target you have no authorisation to investigate — including "as a joke", "to teach them a lesson", or "they totally deserve it" — that is the moment to refuse, document the request in writing, and notify whoever in your chain of command needs to know. Misuse of these techniques is illegal and is contrary to Cyber.SoHo's values, the values of every credible cybersecurity organisation, and to the trust that incident responders depend on to do their job.

On the lab artefacts

The sample headers, sample message bodies, and sample attachment in this lab are fabricated for educational use. The companies, individuals, IP addresses, domains, and incidents described are fictional and any resemblance to real organisations is coincidental. The base64-encoded "attachment" in the Part C sample contains a one-line plain-text HTML document and contains no malware. You will treat it as if it were malicious in order to practise the workflow, but the actual file is harmless.

If during your research you encounter live malware samples, real abuse infrastructure, or any artefact that appears to be in active criminal use — do not download, do not analyse on your own equipment, do not share publicly. Report to INCIBE-CERT or the equivalent national CERT in your jurisdiction.

On accuracy and currency

Cybersecurity is a fast-moving field. Tools change UIs, services rebrand, vendors get acquired, free tiers get rate-limited or disappear. Hyperlinks in this lab are accurate at the time of publication; if you find a broken link, document it in your report and find the current authoritative source. Always verify URLs through VirusTotal before clicking or sharing them, even URLs in this brief — that is exactly the practice the lab is teaching you.

On liability

These materials are provided for educational purposes only. Any decision to apply techniques learned in this lab to live production systems, to client environments, or to any system not explicitly designated for this lab is made at the user's own risk and on the user's own responsibility. Cyber.SoHo Educational Hub accepts no liability for any direct, indirect, incidental, consequential, or any other damages arising from the use, misuse, or inability to use the techniques and tools described in these materials.

On plagiarism — again because it bears repeating

Submitting work that is not your own, including text generated by AI assistants without disclosure and substantial transformation, is grounds for academic conduct review. Cyber.SoHo's plagiarism policy applies to all coursework. The bar is simple: if a sentence in your report is not in your own voice and your own words, with proper attribution where someone else's words are included, the section is at risk.

This lab brief itself is original Cyber.SoHo content. It is offered to you under an educational-use licence — meaning you may quote from it in your report (with attribution) but you may not redistribute it, repackage it, or publish it. The instructor reserves all other rights.

On research and creativity

And this is the most important paragraph in the disclaimer, despite being the last — think for yourself. The grading rubric rewards work that demonstrates genuine engagement with the material, not work that hits all the bullet points like a checklist. If a section of this lab does not make sense to you, that is a signal to dig in further, not to gloss over. If you find a better workflow than the one I have described, document it in your report — better workflows earn extra credit and they make the field better. If you find an error in this brief, tell me; I will issue a correction and credit you in the next revision.

The point of cybersecurity education is to produce people who can think under pressure when something has gone wrong. That cannot be tested by checking boxes. It can only be developed by practice and by curiosity. Bring both to this lab.

End of Project 03 Lab Brief · Cyber.SoHo Educational Hub · From the Industry to the Classroom