Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • DownloadDownload
    • PrintPrint
    Share this Page URL
    Help

    Part I. Foundation > Chapter 3. Evidence Acquisition

    Chapter 3. Evidence Acquisition

    “Some things are hurrying into existence, and others are hurrying out of it; and of that which is coming into existence part is already extinguished . . . In this flowing stream then, on which there is no abiding, what is there of the things which hurry by on which a man would set a high price?”

    The Meditations, by Marcus Aurelius1

    1. Thomas Bushnell, “The Meditations,” 1994, http://classics.mit.edu/Antoninus/meditations.mb.txt.

    Ideally, we would like to obtain perfect-fidelity evidence, with zero impact on the environment. For copper wires, this would mean only observing changes in voltages without ever modifying them. For fiber cables, this would mean observing the quanta without ever injecting any. For radio frequency, this would mean observing RF waves without ever emitting any. In the real world, this would be equivalent to a murder investigator collecting evidence from a crime scene without leaving any new footprints.

    Obviously, we don’t live in a perfect world, and we can never achieve “zero footprint.” Detectives analyzing a murder scene still cannot avoid walking on the same floor as the killer. However, network investigators can minimize the impact.

    Network forensic investigators often refer to “passive” versus “active” evidence acquisition. Passive evidence acquisition is the practice of gathering forensic-quality evidence from networks without emitting data at Layer 2 and above. Traffic acquisition is often classified as passive evidence acquisition. Active or interactive evidence acquisition is the practice of collecting evidence by interacting with stations on the network. This may include logging onto network devices via the console or through a network interface, or even scanning the network ports to determine the current state.

    Although the terms “passive” and “active” imply that there is a clear distinction between two categories, in reality, the impact of evidence acquisition on the environment is a continuous spectrum.

    In this chapter, we discuss the types of physical media that can be leveraged to passively acquire network-based evidence and delve into popular tools and techniques for acquiring network traffic. Next, we review common interfaces used to interact with network devices. Finally, we discuss strategies for minimizing your footprint when conducting active evidence acquisition.