Network Sniffers

In Chapter 5, we looked at a tool (promiscdetect.exe) that allowed the investigator to determine if the network interface card (NIC) is in promiscuous mode. This means that all packets that pass by on the wire are copied by the NIC into memory for processing, rather than just those packets that are addressed specifically to the NIC. This is how a network protocol analyzer, or sniffer, works—by copying all packets that pass by on the wire. Sniffers allow the investigator to copy all traffic from the network and analyze it to see what the various systems are “saying” to each other.

The investigator can make use of a network sniffer when responding to an incident. For example, if the “victim” system is suspected to have a Trojan ...

Get Windows Forensics and Incident Recovery now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.