In [None]:
# Guarded Setup
DRY_RUN = True
from notebooks._utils.common import *
CLI_OK = shell_available('forensic-cli')
LAB_ID = '20_network_to_timeline_exercise'
LAB_ROOT = lab_root(LAB_ID)
print(f'CLI available: {CLI_OK}')
print(f'Artifacts root: {LAB_ROOT}')


# Exercise · Network to Timeline

Recreate the network-to-timeline workflow using the SDK. Complete the TODO
cells to execute the network module against the synthetic JSON input and then
generate a unified timeline. Refer back to the main lab or the provided
solution if you need a hint.

## 1. Prepare Workspace
The helper code below registers the network and timeline modules and
constructs a deterministic case for you.

In [None]:
from pathlib import Path
import json
from forensic.core.framework import ForensicFramework
from forensic.modules.analysis.network import NetworkAnalysisModule
from forensic.modules.analysis.timeline import TimelineModule

WORKSPACE = LAB_ROOT / 'workspace'
CASE_ID = 'CASE_LAB20_EXERCISE'
framework = ForensicFramework(workspace=WORKSPACE)
registered = set(framework.list_modules())
if 'network' not in registered:
    framework.register_module('network', NetworkAnalysisModule)
if 'timeline' not in registered:
    framework.register_module('timeline', TimelineModule)
try:
    case = framework.load_case(CASE_ID)
except ValueError:
    case = framework.create_case(
        name='Lab 20 Exercise Case',
        description='Complete the TODO steps to build a timeline.',
        investigator='Notebook Analyst',
        case_id=CASE_ID,
    )
case.case_id


## 2. Synthetic PCAP JSON
This is the same deterministic dataset used in the lab so that your answers
match the solution exactly.

In [None]:
pcap_payload = {
    'flows': [
        {
            'src': '10.0.0.5',
            'dst': '192.168.1.10',
            'src_port': 52344,
            'dst_port': 80,
            'protocol': 'TCP',
            'packets': 6,
            'bytes': 512,
            'start_ts': '2024-03-01T12:00:00Z',
            'end_ts': '2024-03-01T12:00:05Z',
        },
        {
            'src': '10.0.0.5',
            'dst': '8.8.8.8',
            'src_port': 55344,
            'dst_port': 53,
            'protocol': 'UDP',
            'packets': 2,
            'bytes': 128,
            'start_ts': '2024-03-01T11:59:50Z',
            'end_ts': '2024-03-01T11:59:51Z',
        },
        {
            'src': '192.168.1.10',
            'dst': '10.0.0.5',
            'src_port': 80,
            'dst_port': 52344,
            'protocol': 'TCP',
            'packets': 4,
            'bytes': 1024,
            'start_ts': '2024-03-01T12:00:01Z',
            'end_ts': '2024-03-01T12:00:04Z',
        },
    ],
    'dns': {
        'queries': [
            {
                'timestamp': '2024-03-01T11:59:50Z',
                'query': 'updates.example.com',
                'query_type': 1,
                'src': '10.0.0.5',
                'dst': '8.8.8.8',
                'src_port': 55344,
                'dst_port': 53,
                'protocol': 'UDP',
                'heuristics': {'high_entropy': False, 'long_domain': False},
            },
            {
                'timestamp': '2024-03-01T11:59:55Z',
                'query': 'payload.control-node.example',
                'query_type': 28,
                'src': '10.0.0.5',
                'dst': '8.8.4.4',
                'src_port': 55345,
                'dst_port': 53,
                'protocol': 'UDP',
                'heuristics': {'high_entropy': False, 'long_domain': True},
            },
        ]
    },
    'http': {
        'requests': [
            {
                'timestamp': '2024-03-01T12:00:02Z',
                'method': 'GET',
                'host': 'intranet.local',
                'uri': '/status',
                'user_agent': 'NotebookLab/1.0',
                'src': '10.0.0.5',
                'dst': '192.168.1.10',
                'src_port': 52344,
                'dst_port': 80,
                'protocol': 'TCP',
                'indicators': {'encoded_uri': False, 'suspicious_user_agent': False},
            },
            {
                'timestamp': '2024-03-01T12:00:03Z',
                'method': 'POST',
                'host': 'collector.example.net',
                'uri': '/beacon',
                'user_agent': 'curl/7.88.1',
                'src': '10.0.0.5',
                'dst': '198.51.100.23',
                'src_port': 52345,
                'dst_port': 443,
                'protocol': 'TCP',
                'indicators': {'encoded_uri': False, 'suspicious_user_agent': True},
            },
        ]
    },
}
pcap_input_path = LAB_ROOT / 'inputs' / 'pcap_synthetic.json'
pcap_input_path.parent.mkdir(parents=True, exist_ok=True)
json_dump_sorted(pcap_payload, pcap_input_path)
pcap_input_path


## 3. TODO · Execute the Network Module
Use `framework.execute_module('network', params={'pcap_json': ...})` to process
the JSON file and capture the resulting output path.

In [None]:
# TODO: run the network module against pcap_input_path and load the JSON output.
raise NotImplementedError('Implement the network analysis step.')


## 4. TODO · Generate the Timeline
Point the timeline module at the directory that now contains `network.json` and
produce unified timeline artefacts. Export the resulting rows to `.labs/` for
later inspection.

In [None]:
# TODO: execute the timeline module and export the combined events.
raise NotImplementedError('Implement the timeline generation step.')
