Using Ports as Evidence

Since attackers have so many uses for ports, it becomes necessary for us as investigators to focus on their evidentiary value. When we examine a compromised system, the ports that are active on it can tell us a great deal of valuable information; however, in order to get the most out of this information, we must have a baseline to which to compare. For example, we may locate a competent system administrator who knows which ports were open on the box prior to the incident under investigation. Alternatively, we may compare our target system to others that are reportedly configured identically (such as may occur in a server farm when multiple machines are placed into service simultaneously). We can also make some determinations ...