The fifth week there was a focus on evidence acquisition. the important topics included here are
- Goal
- Physical interception
- Acquisition software
- Active acquisition
- Strategy
Goal
- best fidelity possible
- minimize the impact on netwrok environment
- verify the evidence authenticity
- two kinds
- passive – without emitting to layer 2 and above
- active – directly interacting with workstations
Physical interception
this is the passive packet acquistion as it’s being transmitted through a wire. ways to do so include:
- inline network tap – between wires
- vampire taps – physically touch the wire
- induction coils
- fiber optic taps
The last thing we learned this lesson is TCPDUMp and some of its commands which includes
- tcpdump -D – possible network interface
- tdpdump -i – capture packets