In Part 4 of this series, we discuss network forensics and misuse investigations; different types of devices that may hold suspect data or evidence; introduction to the 7-layer OSI model; network forensics and the role of sniffers and protocol analysis software; the function of network interface cards and layer-2 content inspection; overview of how a NIC works; overview of how a sniffer works; introduction to promiscuous mode; the 4 ways to capture traffic for network forensics; introduction to spanning and mirroring switch ports; introduction to buffered and unbuffered network taps; layer-2 transparent bridging concepts; 8-track hubs and building a receive-only ethernet cable; reasons why ARP cache poisoning shouldn’t be used for network forensics; defeating name resolution-based promiscuous mode detection; defeating specially crafted ARP and malformed multicast-based promiscuous mode detection; default snaplengths and configuring a sniffer for full packet capture; introduction to tcpdump and windump; issues with Win32-derived packet capture libraries; introduction to the Network Toolkit from CACE Technologies; and more.
This LiveAmmo Podcast is in .mp3 format, 00:36:15 in duration, and a 17.4 MB download.
Visit the LiveAmmo Computer Forensics Podcast Archives for more information about how to subscribe to our podcast and news feeds.