support that activity, are possibly even more important skills
for the computer forensics examiner. While there are tools
that will capture and display network data, the practitioner
needs to know how to properly interpret what they are seeing in the context of their investigation.
Read part 2 of this article in the Fall issue of DFI News. From:
Kessler, G.C., & Fasulo, M. (2007). The Case for Teaching
Network Protocols to Computer Forensics Examiners. In Proceedings of the Conference on Digital Forensics, Security and
Law, April 18-20, 2007, Arlington, VA, pp. 115-137.
purposes, per Request for Comments (RFC) 3330 (IANA, 2002). This
form of IP address is used in this paper when obscuring the true IP
13. Postel, J. (1981), Internet Control Message Protocol (ICMP).
Request for Comments (RFC) 792, http://www.rfc-editor.org/rfc/
rfc792.txt, December 15, 2006.
14. American Standard Code for Information Interchange; see
15. Dittrich, D. (1999), “The ‘stacheldraht’ Distributed Denial of
Service Attack Tool,” http://staff.washington.edu/dittrich/misc/
stacheldraht.analysis, December 14, 2006.
1. Casey, E., & Stanley, A. (2004), “Tool Review—Remote Forensics
Preservation and Examination Tools,” Digital Investigation, 1( 4):
2. Nikkel, B.J. (2005), “Generalizing Sources of Live Network
Evidence,” Digital Investigation, 2( 3): 193-200.
3. Shanmugasundaram, K., Brönnimann, H., & Memon, N. (2006),
“Integrating Digital Forensics in Network Infrastructures,” in Advances in Digital Forensics, Proceedings of the IFIP International Conference on Digital Forensics, eds. M. Pollitt & S. Shenoi, Springer, New
4. Carrier, B. (2003), “Open Source Digital Forensics Tools: The
Legal Argument,” http://homes.cerias.purdue.edu/~carrier/
forensics/docs/opensrc_legal.pdf, April 15, 2006.
5. Kenneally, E.E. (2001), “Gatekeeping Out of the Box: Open
Source Software as a Mechanism to Assess Reliability for Digital Evidence,” Virginia Journal of Law and Technology, 6( 3). http://www.
vjolt.net/vol6/issue3/v6i3-a13-Kenneally.html, April 14, 2006.
6. Jones, K.J., Bejtlich, R., & Rose, C. W. (2006), Real Digital Forensics: Computer Security and Incident Response,
Addison-Wesley, Upper Saddle River, NJ.
7. Redding, S. (2006), “Using Peer-to-Peer
Technology for Network Forensics,” in Advances
in Digital Forensics, Proceedings of the IFIP International Conference on Digital Forensics, eds.
M. Pollitt & S. Shenoi, Springer, New York.
8. Casey, E. (2004b), “Network Traffic as a
Source of Evidence: Tool Strengths, Weaknesses,
and Future Needs,” Digital Investigation, 1(1):
9. Kent, K., Chevalier, S., Grance, T., & Dang,
H. (2006), Guide to Integrating Forensics Techniques into Incident Response, National Institute
of Standards and Technology (NIST) Special
Publication (SP) 800-86, NIST, Computer Security Division, Information Technology Laboratory,
Gaithersburg, MD. http://csrc.nist.gov/publica-
tions/nistpubs/800-86/SP800-86.pdf, December 4, 2006.
10. Casey, E. (2004a), Digital Evidence and
Computer Crime, 2nd ed., Elsevier Academic
11. Owen, S., Budgen, D., & Brereton, P.
(2006), “Protocol Analysis: A Neglected
Practice,” Communications of the ACM, 49( 2):
12. To protect the true recipient of these
packets—and another victim of the attack—the
actual host address is obscured. IP addresses in
the 192.0.2.0 block are reserved for example
Gary C. Kessler, Ph.D., CCE, CISSP, is an Associate
Professor at Embry-Riddle Aeronautical University in Daytona Beach, Florida, teaching cybersecurity in the Homeland
Security program. He is also president of Gary Kessler Associates, a digital forensics and information security consulting and
training practice. Dr. Kessler is also a member of the N. Florida
and Vermont Internet Crimes Against Children (ICAC) Task
Forces, specializing in mobile device forensics. More information can be found at http://www.garykessler.net.
Matt Fasulo is a Special Agent with the U.S. Secret Service
currently stationed in Portland, Maine. SA Fasulo has been
with the Secret Service since 1998 and a member of the Electronic Crimes Special Agent Program since 1999. During that
time, SA Fasulo has investigated numerous network intrusion
incidents. He is currently assigned to the Maine State Police
Computer Crimes Unit, Vassalboro, Maine.
Your free subscription is just a scan away.
DFI® News gives you access to the articles, news, and information
in the print magazine, digital editions, and e-newsletters.
Scan the barcode to sign-up for your FREE subscription or go to
dfinews.com. Now that’s Scantastic!
Get Your Scan On!