WinPcap and RawCap

During an incident, it may become necessary to obtain a packet capture from a Windows system. In incidents such as a compromise of a web server or application server, the Windows system will not have a native application to conduct a packet capture. There are several tools available for packet capture on Windows systems. The first tool that can be utilized is WinPcap. This tool is generally recognized as the standard for packet capture on Windows systems and is available as a free download at The drawback to this tool from a forensics perspective is that it has to be installed on the system. This can complicate a forensic analysis as any changes to the system have to be thoroughly documented. For this reason, ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.