Sunday, December 31, 2006

Network Forensics

Here is a sample chapter from "Computer Forensics: Incident Response Essentials", entitled "Tracking an Offender". Although the material is five years old, it still applies.

To fill in the gaps, here's a few bits:

  • While the message ID for email is unique, it may or may not be random. It may be worthwhile to know more about the systems handling the mail you're investigating. (Hint: Message ID's generated by Sendmail are based on process number and time of day.)
  • In addition to NetBIOS (for Unix systems, use nbtscan), it's likely to be worthwhile to run other tools, like Nmap, to get a better idea of the services running on a machine. This is an act of last resort though as accessing a suspect system may foul any legal proceedings. Then again, if the system is out of your reach...

In any case, it's been five years since the book was published. I expect that it will be updated shortly (I hope).