Monitoring Communication with the Victim Box
In addition to running live-analysis tools on the target system, you can monitor the network traffic coming from and going to the system. While a rootkit may conceal the presence of a communication channel from live-analysis tools, if the channel exists and is being used to communicate with another system, that traffic must pass across the network cable connected to the victim computer at some point. Hacker tools, such as bots, will frequently send periodic communications to a server or chat room monitored by the hacker. In this way the hacker can keep tabs on which machines she owns at any given moment.
By monitoring the traffic into and out of the target system, you can determine which IP addresses ...
Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
