O'Reilly logo

Windows Forensics and Incident Recovery by Harlan Carvey

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Network Sniffers

In Chapter 5, we looked at a tool (promiscdetect.exe) that allowed the investigator to determine if the network interface card (NIC) is in promiscuous mode. This means that all packets that pass by on the wire are copied by the NIC into memory for processing, rather than just those packets that are addressed specifically to the NIC. This is how a network protocol analyzer, or sniffer, works—by copying all packets that pass by on the wire. Sniffers allow the investigator to copy all traffic from the network and analyze it to see what the various systems are “saying” to each other.

The investigator can make use of a network sniffer when responding to an incident. For example, if the “victim” system is suspected to have a Trojan ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required