Network Sniffers
In Chapter 5, we looked at a tool (promiscdetect.exe) that allowed the investigator to determine if the network interface card (NIC) is in promiscuous mode. This means that all packets that pass by on the wire are copied by the NIC into memory for processing, rather than just those packets that are addressed specifically to the NIC. This is how a network protocol analyzer, or sniffer, works—by copying all packets that pass by on the wire. Sniffers allow the investigator to copy all traffic from the network and analyze it to see what the various systems are “saying” to each other.
The investigator can make use of a network sniffer when responding to an incident. For example, if the “victim” system is suspected to have a Trojan ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
