168 䡲 Cyber Forensics Field Manual, Second Edition
cannot conclusively confi rm the identity of the attacking host. Moreover, if the IP address is
for the attacker’s system, the attacker might see the traffi c and react by destroying evidence
or attacking the host sending the traffi c. If the IP address is spoofed, sending unsolicited
network traffi c to the system could be interpreted as unauthorized use or an attack. Under
no circumstances should investigators attempt to gain access to others’ systems without
permission.
Seek ISP Assistance: ISPs generally require a court order before providing any information
to an organization about suspicious network activity. Accordingly, ISP assistance is generally
an option during only the most serious net ...