Passive Reconnaissance

index

Student: Tapiwanashe Mlambo
Platform: TryHackMe
Module: Passive Reconnaissance Room

1.0 Executive Summary

This laboratory exercise focused on passive reconnaissance techniques, a critical preliminary phase in cybersecurity assessment and penetration testing. The module explored the collection of publicly available information about target systems, networks, and organizations without direct interaction or engagement that might alert security monitoring systems.

The practical component involved hands-on experience with essential reconnaissance tools including WHOIS databases, DNS enumeration utilities (nslookup and dig), specialized online services (DNSDumpster), and comprehensive search engines (Shodan.io). These tools collectively provide extensive intelligence gathering capabilities while maintaining operational security through passive collection methods.

The exercise demonstrated how seemingly innocuous publicly available information can reveal significant details about an organization’s infrastructure, potentially exposing attack vectors and security vulnerabilities that could be exploited by malicious actors.

2.0 Learning Objectives

Upon completion of this laboratory exercise, the following competencies were achieved:

Understanding the fundamental differences between passive and active reconnaissance methodologies
Proficiency in utilizing WHOIS databases for domain registration intelligence
Competence in DNS enumeration using command-line tools (nslookup, dig)
Familiarity with automated reconnaissance platforms (DNSDumpster)
Understanding of Internet-wide scanning services (Shodan.io)
Appreciation for the security implications of publicly exposed information
Development of intelligence gathering workflows and methodologies

3.0 Reconnaissance Fundamentals

3.1 Information Gathering in Cybersecurity

Reconnaissance represents the foundational phase of any security assessment, providing essential intelligence that informs subsequent testing phases. This preliminary investigation serves multiple purposes:

Attack Surface Mapping: Identifying potential entry points and vulnerabilities
Technology Profiling: Understanding the target’s technological infrastructure
Personnel Intelligence: Gathering information about organizational structure
Operational Security: Maintaining stealth during information collection

3.2 Legal and Ethical Considerations

Passive reconnaissance operates within legal boundaries by utilizing publicly available information sources. However, ethical considerations remain paramount:

Intended Use: Information gathering should serve legitimate security purposes
Data Protection: Collected intelligence must be handled with appropriate security measures
Professional Responsibility: Practitioners must maintain ethical standards in information use
Regulatory Compliance: Activities must align with applicable legal frameworks

4.0 Passive vs. Active Reconnaissance Methodology

4.1 Passive Reconnaissance Characteristics

Passive reconnaissance distinguishes itself through non-intrusive information collection methods:

4.1.1 Key Attributes

No Direct Target Interaction: Information gathering occurs without connecting to target systems
Publicly Available Sources: Utilizes information that is intentionally or inadvertently public
Stealth Operation: Activities typically remain undetected by target monitoring systems
Legal Compliance: Generally operates within legal boundaries using public information

4.1.2 Information Sources

Domain Registration Records: WHOIS databases containing registrant information
DNS Records: Publicly queryable domain name system information
Search Engine Results: Indexed web content and cached pages
Social Media Platforms: Professional and personal social networks
Public Databases: Government records, corporate filings, and regulatory submissions

4.2 Active Reconnaissance Comparison

Active reconnaissance involves direct interaction with target systems:

4.2.1 Distinguishing Characteristics

Direct System Interaction: Involves connecting to or querying target systems
Detection Risk: Activities may trigger security monitoring and alerting systems
Legal Implications: May require explicit authorization to avoid legal complications
Technical Depth: Often provides more detailed technical information

4.2.2 Common Techniques

Port Scanning: Probing target systems for open network services
Vulnerability Scanning: Automated testing for known security weaknesses
Service Enumeration: Detailed analysis of running services and configurations
Social Engineering: Direct interaction with personnel to gather information

4.3 Strategic Considerations

The choice between passive and active reconnaissance depends on several factors:

Assessment Scope: Authorized testing boundaries and limitations
Stealth Requirements: Need to avoid detection during information gathering
Time Constraints: Available timeframe for reconnaissance activities
Legal Authorization: Explicit permission for intrusive testing activities

5.0 WHOIS Database Intelligence

5.1 WHOIS Protocol Overview

The WHOIS protocol provides a standardized method for querying domain registration databases, revealing valuable organizational intelligence:

5.1.1 Historical Context

WHOIS originated in the early Internet era as a simple directory service, evolving into a comprehensive domain registration information system. The protocol operates on TCP port 43 and provides structured responses to domain queries.

5.1.2 Information Categories

WHOIS queries typically return the following information types:

Registrant Details: Organization name, contact person, and address information
Administrative Contacts: Personnel responsible for domain management
Technical Contacts: Staff handling technical domain configuration
Registration Dates: Initial registration and expiration timeframes
Name Servers: DNS infrastructure supporting the domain
Registrar Information: Domain registration service provider details

5.2 Practical WHOIS Implementation

5.2.1 Command-Line Usage

# Basic WHOIS query
whois domain.com

# Specific WHOIS server query
whois -h whois.server.com domain.com

# Suppress referral information
whois -H domain.com

5.2.2 Web-Based WHOIS Services

Online WHOIS services provide user-friendly interfaces and enhanced features:

Historical Data: Access to previous registration information
Bulk Queries: Simultaneous queries for multiple domains
API Integration: Programmatic access to WHOIS data
Enhanced Parsing: Structured data presentation and analysis

5.3 Intelligence Analysis Techniques

5.3.1 Organizational Profiling

WHOIS data enables comprehensive organizational intelligence gathering:

Corporate Structure: Understanding organizational hierarchy and relationships
Geographic Distribution: Identifying physical locations and operational centers
Technology Preferences: Analyzing registrar and DNS provider choices
Registration Patterns: Identifying domain acquisition and management practices

5.3.2 Threat Intelligence Applications

WHOIS information supports various threat intelligence activities:

Infrastructure Mapping: Connecting domains to common registrants or contacts
Campaign Tracking: Following threat actor domain registration patterns
Brand Protection: Monitoring for typosquatting and domain abuse
Incident Response: Investigating suspicious domain registrations

5.4 Privacy Considerations and Limitations

The General Data Protection Regulation (GDPR) significantly altered WHOIS information availability:

Redacted Information: Personal data protection requirements limit public access
Proxy Services: Increased use of privacy protection services
Verification Challenges: Difficulty in verifying registrant authenticity
Law Enforcement Exceptions: Special access procedures for legitimate investigations

5.4.2 Evasion Techniques

Organizations and individuals employ various methods to limit WHOIS exposure:

Privacy Protection Services: Third-party services masking true registrant information
Proxy Registrations: Using intermediary services for domain registration
Frequent Transfers: Regular domain transfers to obscure ownership trails
False Information: Providing inaccurate registration details (though legally problematic)

6.0 DNS Enumeration and Intelligence

6.1 Domain Name System Fundamentals

The Domain Name System (DNS) serves as the Internet’s directory service, translating human-readable domain names into numerical IP addresses. DNS infrastructure contains extensive information valuable for reconnaissance purposes.

6.1.1 DNS Record Types

DNS maintains various record types, each serving specific purposes:

A Records: Map domain names to IPv4 addresses
AAAA Records: Map domain names to IPv6 addresses
MX Records: Specify mail server priorities and destinations
CNAME Records: Create aliases for existing domain names
TXT Records: Store arbitrary text information, often used for verification
NS Records: Identify authoritative name servers for domains
SOA Records: Contain administrative information about DNS zones

6.1.2 DNS Hierarchy Structure

DNS operates as a hierarchical distributed database:

Root Servers: Top-level DNS infrastructure managed by ICANN
Top-Level Domains (TLDs): Generic (.com, .org) and country-code (.uk, .jp) domains
Second-Level Domains: Organization-specific domains (example.com)
Subdomains: Additional hierarchical levels (mail.example.com)

6.2 NSLookup Implementation

NSLookup provides interactive and command-line DNS querying capabilities:

6.2.1 Basic Query Operations

# Simple A record lookup
nslookup domain.com

# Specific record type query
nslookup -type=MX domain.com

# Reverse DNS lookup
nslookup 192.168.1.1

# Using specific DNS server
nslookup domain.com 8.8.8.8

6.2.2 Interactive Mode Operations

NSLookup’s interactive mode enables complex query sequences:

# Enter interactive mode
nslookup

# Set query type
set type=TXT

# Query domain
domain.com

# Change DNS server
server 1.1.1.1

# Exit interactive mode
exit

6.3 Dig Command Mastery

Dig (Domain Information Groper) provides advanced DNS querying capabilities with detailed output formatting:

6.3.1 Standard Query Operations

# Basic domain query
dig domain.com

# Specific record type query
dig domain.com MX

# Trace DNS resolution path
dig +trace domain.com

# Short answer format
dig +short domain.com

6.3.2 Advanced Querying Techniques

# Multiple record types
dig domain.com A MX TXT

# Reverse DNS lookup
dig -x 192.168.1.1

# Query specific DNS server
dig @8.8.8.8 domain.com

# Disable recursion
dig +norecurse domain.com

6.4 DNS Intelligence Gathering

6.4.1 Subdomain Enumeration

DNS queries can reveal organizational subdomains:

Brute Force Enumeration: Systematic querying of common subdomain names
Zone Transfer Attempts: Requesting complete DNS zone information
Certificate Transparency Logs: Analyzing SSL certificates for subdomain information
Search Engine Discovery: Using search operators to find indexed subdomains

6.4.2 Infrastructure Mapping

DNS records provide valuable infrastructure intelligence:

IP Address Ranges: Identifying organizational network blocks
Email Infrastructure: Understanding mail server configurations
Content Delivery Networks: Recognizing CDN usage and providers
Third-Party Services: Identifying external service dependencies

7.0 DNSDumpster Intelligence Platform

7.1 Platform Overview

DNSDumpster represents a comprehensive DNS reconnaissance platform that automates and enhances traditional DNS enumeration techniques. The service aggregates multiple data sources to provide extensive domain intelligence.

7.1.1 Core Capabilities

Automated Subdomain Discovery: Systematic identification of domain subdomains
DNS Record Aggregation: Comprehensive collection of various DNS record types
Historical Data Access: Time-based analysis of DNS configuration changes
Visual Network Mapping: Graphical representation of domain relationships

7.1.2 Data Sources Integration

DNSDumpster leverages multiple intelligence sources:

Public DNS Servers: Querying various DNS resolvers for comprehensive coverage
Certificate Transparency Logs: Analyzing SSL certificate data for subdomain identification
Search Engine Results: Extracting domain information from indexed web content
Threat Intelligence Feeds: Incorporating security-focused domain intelligence

7.2 Operational Implementation

7.2.1 Basic Usage Workflow

Domain Input: Enter target domain name in the search interface
Automated Scanning: Platform performs comprehensive DNS enumeration
Result Analysis: Review discovered subdomains, IP addresses, and services
Export Options: Download results in various formats for further analysis

7.2.2 Advanced Features

API Integration: Programmatic access to DNSDumpster capabilities
Historical Comparison: Tracking DNS changes over time
Bulk Domain Processing: Simultaneous analysis of multiple domains
Threat Intelligence Integration: Correlation with known malicious indicators

7.3 Intelligence Analysis Applications

7.3.1 Attack Surface Discovery

DNSDumpster results reveal potential attack vectors:

Forgotten Subdomains: Identifying unmaintained or insecure subdomains
Development Environments: Discovering staging or testing environments
Administrative Interfaces: Locating management portals and control panels
Legacy Systems: Finding outdated infrastructure components

7.3.2 Organizational Profiling

DNS intelligence supports comprehensive organizational analysis:

Infrastructure Scale: Understanding the scope of digital infrastructure
Technology Preferences: Identifying preferred platforms and services
Geographic Distribution: Analyzing global infrastructure deployment
Security Posture: Assessing DNS security implementations

7.4 Limitations and Considerations

7.4.1 Data Accuracy Challenges

Stale Information: DNS data may not reflect current configurations
Incomplete Coverage: Some subdomains may remain undiscovered
False Positives: Irrelevant or incorrect domain associations
Rate Limiting: Platform usage restrictions and query limitations

7.4.2 Operational Security

Query Logging: Platform may retain search history and target information
Attribution Concerns: Reconnaissance activities may be traceable
Data Sharing: Potential information sharing with third parties
Legal Compliance: Ensuring appropriate use of gathered intelligence

8.0 Shodan Internet Intelligence

8.1 Platform Architecture and Methodology

Shodan operates as a comprehensive Internet-wide scanning engine, continuously probing publicly accessible systems to build a searchable database of connected devices and services.

8.1.1 Scanning Infrastructure

Shodan’s global scanning infrastructure consists of:

Distributed Scanners: Geographically distributed scanning nodes
Continuous Monitoring: 24/7 automated scanning of Internet-connected systems
Service Fingerprinting: Detailed identification of running services and applications
Data Aggregation: Centralized collection and indexing of scan results

8.1.2 Data Collection Methodology

The platform employs systematic data collection approaches:

Port Scanning: Probing common network service ports
Banner Grabbing: Extracting service identification information
Protocol Analysis: Deep inspection of network protocol implementations
Geolocation Mapping: Associating IP addresses with geographic locations

8.2 Search Capabilities and Operators

8.2.1 Basic Search Operations

1
# Search by service type
2
apache
3

4
# Search by specific port
5
port:22
6

7
# Search by country
8
country:US
9

10
# Search by organization
11
org:"Example Corp"

8.2.2 Advanced Search Operators

1
# Combine multiple criteria
2
apache country:US port:443
3

4
# Search by network range
5
net:192.168.1.0/24
6

7
# Search by hostname
8
hostname:mail.example.com
9

10
# Search by HTTP title
11
http.title:"Admin Panel"

8.3 Intelligence Applications

8.3.1 Infrastructure Discovery

Shodan enables comprehensive infrastructure mapping:

Asset Inventory: Identifying all Internet-facing organizational assets
Service Identification: Cataloging running services and applications
Version Analysis: Determining software versions and patch levels
Geographic Distribution: Understanding global infrastructure deployment

8.3.2 Vulnerability Assessment

The platform supports vulnerability identification:

Unpatched Systems: Discovering systems running outdated software
Misconfigured Services: Identifying improperly configured network services
Default Credentials: Finding systems using default authentication
Exposed Interfaces: Locating publicly accessible administrative interfaces

8.4 Threat Intelligence Integration

8.4.1 Malware Infrastructure Tracking

Shodan facilitates malware infrastructure analysis:

Command and Control Servers: Identifying malicious communication infrastructure
Botnet Mapping: Tracking infected systems and communication patterns
Exploit Kit Monitoring: Discovering exploit kit hosting infrastructure
Phishing Infrastructure: Identifying fraudulent websites and services

8.4.2 Incident Response Applications

Security teams leverage Shodan for incident response:

Compromise Assessment: Identifying potentially compromised systems
Lateral Movement Tracking: Understanding attacker infrastructure usage
Attribution Analysis: Connecting attacks to known threat actor infrastructure
Threat Hunting: Proactive searching for indicators of compromise

8.5 Operational Security Considerations

8.5.1 Attribution and Privacy

Query Logging: Shodan maintains logs of user searches and activities
Account Tracking: User accounts enable correlation of reconnaissance activities
Legal Implications: Some searches may attract law enforcement attention
Corporate Monitoring: Organizations may monitor searches for their assets

8.5.2 Ethical Usage Guidelines

Legitimate Purposes: Ensure reconnaissance serves appropriate security objectives
Data Protection: Handle discovered information with appropriate security measures
Responsible Disclosure: Report discovered vulnerabilities through proper channels
Legal Compliance: Maintain adherence to applicable laws and regulations

9.0 Comprehensive Reconnaissance Methodology

9.1 Integrated Approach

Effective passive reconnaissance requires coordinated use of multiple tools and techniques:

9.1.1 Sequential Methodology

Initial Domain Analysis: Begin with WHOIS queries to understand organizational structure
DNS Enumeration: Use nslookup and dig for detailed DNS intelligence
Automated Discovery: Leverage DNSDumpster for comprehensive subdomain enumeration
Infrastructure Mapping: Apply Shodan searches to identify Internet-facing assets
Intelligence Correlation: Analyze collected data for patterns and relationships

Expanding Scope: Use initial discoveries to identify additional targets
Cross-Referencing: Validate information across multiple sources
Historical Analysis: Compare current data with historical information
Gap Identification: Recognize areas requiring additional investigation

9.2 Documentation and Analysis

9.2.1 Information Management

Effective reconnaissance requires systematic information management:

1
Target_Organization/
2
├── WHOIS_Data/
3
│   ├── domain_registrations.txt
4
│   ├── contact_information.txt
5
│   └── historical_data.txt
6
├── DNS_Intelligence/
7
│   ├── a_records.txt
8
│   ├── mx_records.txt
9
│   ├── subdomains.txt
10
│   └── ns_records.txt
11
├── Infrastructure_Mapping/
12
│   ├── ip_ranges.txt
13
│   ├── services.txt
14
│   └── geographic_distribution.txt
15
└── Analysis/
16
    ├── attack_surface.txt
17
    ├── vulnerabilities.txt
18
    └── recommendations.txt

9.2.2 Intelligence Analysis Framework

Data Validation: Verify information accuracy across multiple sources
Pattern Recognition: Identify organizational patterns and preferences
Risk Assessment: Evaluate discovered information for security implications
Reporting: Document findings in structured, actionable formats

9.3 Automation and Scaling

9.3.1 Scripting Integration

#!/bin/bash
# Passive reconnaissance automation script

DOMAIN=$1
OUTPUT_DIR="recon_$DOMAIN"

mkdir -p $OUTPUT_DIR

# WHOIS information
whois $DOMAIN > $OUTPUT_DIR/whois.txt

# DNS enumeration
dig $DOMAIN A > $OUTPUT_DIR/a_records.txt
dig $DOMAIN MX > $OUTPUT_DIR/mx_records.txt
dig $DOMAIN TXT > $OUTPUT_DIR/txt_records.txt

# Subdomain enumeration
# Additional tools and API integrations would be added here

echo "Reconnaissance complete for $DOMAIN"

9.3.2 API Integration

Modern reconnaissance benefits from API integration:

Automated Querying: Programmatic access to reconnaissance platforms
Data Normalization: Consistent formatting across different sources
Rate Limiting Management: Efficient handling of API restrictions
Continuous Monitoring: Ongoing intelligence collection and updates

10.0 Security Implications and Defense

10.1 Organizational Exposure Assessment

Understanding reconnaissance capabilities helps organizations assess their information exposure:

10.1.1 Information Leakage Vectors

WHOIS Data: Excessive organizational information in domain registrations
DNS Misconfigurations: Overly permissive DNS configurations revealing internal structure
Subdomain Proliferation: Numerous subdomains increasing attack surface
Service Exposure: Unnecessary Internet-facing services and applications

10.1.2 Risk Mitigation Strategies

Information Minimization: Reduce publicly available organizational information
DNS Security: Implement DNS security best practices and monitoring
Subdomain Management: Maintain inventory and lifecycle management for subdomains
Service Hardening: Secure or remove unnecessary Internet-facing services

10.2 Defensive Reconnaissance

Organizations can use reconnaissance techniques for defensive purposes:

10.2.1 Asset Discovery

External Asset Inventory: Comprehensive mapping of Internet-facing assets
Shadow IT Identification: Discovering unauthorized or forgotten systems
Third-Party Risk Assessment: Evaluating vendor and partner security postures
Brand Protection: Monitoring for typosquatting and domain abuse

10.2.2 Threat Intelligence

Attacker Infrastructure: Identifying potential threat actor infrastructure
Campaign Monitoring: Tracking ongoing attack campaigns and techniques
Indicator Enrichment: Enhancing security alerts with reconnaissance data
Proactive Hunting: Searching for indicators of compromise or targeting

10.3 Monitoring and Detection

10.3.1 Reconnaissance Detection

Organizations can implement monitoring for reconnaissance activities:

DNS Query Monitoring: Unusual DNS query patterns indicating reconnaissance
WHOIS Query Tracking: Monitoring for excessive WHOIS queries against organizational domains
Honeypot Deployment: Deploying fake services to detect reconnaissance activities
Threat Intelligence Integration: Correlating reconnaissance indicators with known threats

10.3.2 Response Strategies

Incident Classification: Appropriate response based on reconnaissance sophistication
Attribution Analysis: Determining reconnaissance source and intent
Defensive Measures: Implementing additional security controls based on reconnaissance findings
Law Enforcement Coordination: Engaging appropriate authorities for persistent reconnaissance

11.0 Lessons Learned and Personal Insights

11.1 Technical Discoveries

The passive reconnaissance module revealed several critical insights:

11.1.1 Information Abundance

The sheer volume of publicly available information was surprising. Organizations often underestimate how much intelligence can be gathered without direct system interaction. The combination of WHOIS data, DNS records, and search engine results provides a comprehensive view of organizational infrastructure.

11.1.2 Tool Complementarity

Each reconnaissance tool serves specific purposes and provides unique perspectives. WHOIS offers organizational context, DNS tools reveal technical infrastructure, DNSDumpster automates discovery, and Shodan provides Internet-wide visibility. Effective reconnaissance requires understanding each tool’s strengths and limitations.

11.2 Security Awareness Development

11.2.1 Personal Domain Security

The module highlighted personal security implications, particularly regarding domain management practices. The realization about wildcard DNS records and subdomain exposure demonstrated how technical conveniences can create security vulnerabilities.

11.2.2 Organizational Perspective

From an organizational standpoint, the exercise illustrated how seemingly harmless information exposure can provide significant intelligence to potential attackers. The aggregation of multiple information sources creates a comprehensive organizational profile.

11.3 Practical Applications

11.3.1 Defensive Implementation

The knowledge gained directly applies to defensive security practices:

Asset Management: Better understanding of organizational asset exposure
Risk Assessment: Improved ability to evaluate information security risks
Incident Response: Enhanced capability to investigate and respond to security incidents
Threat Intelligence: Better integration of reconnaissance techniques into threat intelligence workflows

11.3.2 Offensive Security Context

While focused on defensive applications, the reconnaissance skills support ethical hacking and penetration testing activities:

Pre-Engagement Planning: Thorough reconnaissance before authorized security testing
Attack Surface Analysis: Comprehensive understanding of target environments
Social Engineering Preparation: Organizational intelligence gathering for social engineering assessments
Red Team Operations: Integration of reconnaissance into comprehensive red team exercises

11.4 Continuous Learning Implications

11.4.1 Evolving Threat Landscape

The reconnaissance field continuously evolves with new tools, techniques, and data sources. Staying current requires ongoing education and practical experience with emerging reconnaissance capabilities.

11.4.2 Privacy and Regulation Impact

Changing privacy regulations and data protection laws affect reconnaissance capabilities. Understanding these changes helps maintain ethical and legal compliance while conducting security activities.

12.0 Conclusion

The passive reconnaissance module provided comprehensive exposure to fundamental intelligence gathering techniques essential for cybersecurity professionals. The hands-on experience with industry-standard tools and platforms established practical skills applicable across multiple security domains.

The progression from basic WHOIS queries through advanced Shodan searches demonstrated the breadth of intelligence available through passive techniques. This experience emphasized the critical importance of understanding organizational information exposure and implementing appropriate defensive measures.

The module’s emphasis on publicly available information highlighted the balance between operational transparency and security considerations. Organizations must carefully manage their information exposure while maintaining necessary business functionality and compliance requirements.

The practical application of these techniques provided valuable insights into both offensive and defensive security perspectives. The ability to think like an attacker while maintaining ethical standards represents a crucial skill for cybersecurity professionals.

The integration of multiple reconnaissance sources demonstrated the power of comprehensive intelligence gathering. No single tool or technique provides complete visibility, but the combination of various sources creates a thorough understanding of target environments.

This foundational knowledge establishes the groundwork for more advanced reconnaissance techniques and offensive security capabilities. The skills developed through this module will prove invaluable in subsequent cybersecurity studies and professional applications.

The module successfully achieved its educational objectives while providing practical experience applicable to real-world security challenges. The combination of theoretical understanding and hands-on application ensures long-term retention and practical utility of the learned concepts.

13.0 References and Resources

13.1 Primary Learning Resources

TryHackMe Passive Reconnaissance Room
WHOIS Protocol Documentation (RFC 3912)
DNS Protocol Specifications (RFC 1035)
Internet Corporation for Assigned Names and Numbers (ICANN) Guidelines

13.2 Tool Documentation

NSLookup Command Reference
Dig Command Manual
DNSDumpster Platform Documentation
Shodan Search Guide and API Reference

13.3 Security Best Practices

NIST Cybersecurity Framework
OWASP Information Gathering Guidelines
SANS Reconnaissance Methodologies
Industry-Standard Penetration Testing Guides

13.4 Legal and Ethical Guidelines

Computer Fraud and Abuse Act (CFAA) Compliance
General Data Protection Regulation (GDPR) Considerations
Responsible Disclosure Practices
Professional Ethics in Cybersecurity

Report Completion Date: [Current Date]
Module Completion Verification: [Screenshot Reference]
Total Laboratory Duration: [Time Invested]