The Case for Teaching Network
Protocols to Computer Forensics
Examiners: Part 2
Insights on the role of network forensics and how knowledge of computer
communications and network protocols is emerging as a necessary skill for
Gary C. Kessler and Matt Fasulo
Most computer forensics experts are well-versed in basic computer hardware technology, operating systems,
common software applications, and computer forensics tools. And while many have rudimentary knowledge about the Internet and simple network-lookup tools, they are not trained in the analysis of network
communication protocols and the use of packet sniffers.
The first part of this article presented some insights about the role of network forensics and how
knowledge of computer communications and network protocols is emerging as a necessary skill for digital
investigators—perhaps even more than programming itself. Part 2 includes some additional network investigation case studies.
Case Study #2: Phishing
Phishing and its variants (e.g., spear-phishing and pharming) are serious problems on the Internet; October 2006 saw over 37,000 new phishing sites, a 757% increase from a year earlier.1 The authors were asked
to investigate one particular phishing attack targeting a Vermont bank in the summer of 2005. In August
2005, the first author received a phishing e-mail purporting to come from Amazon.com. While the details
of the bank phishing scheme cannot be presented here, analysis of the Amazon.com phishing scheme will
be used to explore how the bank scheme was investigated. This particular e-mail was of interest because
the first author actually has an Amazon account.
The e-mail received was the typical phishing message, purporting to come from a commercial organization where the recipient might have an account, 2 a
statement that some security breach has occurred, and
the suggestion that the recipient logon to a given Web
site to update or verify their personal information.
In an effort to document the phishing attempt,
the authors started a packet sniffer and followed the
link provided in the e-mail despite warnings from the
e-mail client. The result was a visit to a Web page
that looked very much like the real Amazon.com
Web site. The Uniform Resource Locator (URL) of
the page— http://creditunion.pm168.com.cn/
obidos/flex-sign-in/—is particularly interesting
because while it clearly shows the bogus host name,
creditunion.pm168.com.cn, it also shows the legitimate
amazon.com login page URL. Most users will ignore
the beginning of the URL once they recognize the
familiar Amazon.com address and a seemingly familiar
page. Of course, the question mark and everything that follows it is ignored so, in fact, the user has been
redirected to the bogus host somewhere in the .cn (China) top-level domain. The authors responded to
Figure 1: TCP packet stream showing user login to
bogus Web site.