Packet capture

Capturing network traffic is critical to having a full understanding of an incident. Being able to identify potential C2 traffic IP addresses may provide further information about the type of malware that might have infected a host. In other types of incidents, CSIRT members may be able to identify potential exfiltration methods that an external threat actor is utilizing.

One method is to set up what is referred to as a network tap. A network tap is a system in-line with the compromised host and the switch. For example, in the network diagram, if the host that is compromised is on the 192.168.1.0/24 subnet, the tap should be placed in between the host and the switch. This often involves placing a system in between the host ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.