NETWORK FORENSICS

Network Forensics



Network Forensics

After looking at the file it is clear that the IP packet travels across the Internet and passes through routers that direct the information and provide simple error handling, for example, when the destination is unreachable. The protocol that performs this operation is called the 'Internet Control and Messaging Protocol' (ICMP). It provides a mechanism for error handling and general messaging across the IP network layer. ICMP is transported in the payload of the IP packet and has several data structures of its own as defined in [7].These steps can be summarized as follows: (Clarke, 2003). Assessment of the situation. The analysis framework of the ongoing investigation and action as necessary; (Clarke, 2003). Data collection. The collection, protection and preservation of the original evidence; Data analysis. Study and comparison of digital evidence of the events for a successful appeal to the law enforcement agencies; Report of the investigation. Collection and organization of the information received the writing of the final report (George & Mohay, 2003).

The attacker sends malformed ICMP packets to the destination. The destination host will respond with numerous answers to the given requests. Each operating system will send slightly different results back to the host. The installed operating system is determined by a process of elimination by evaluating the responses. This flaw in the development of the operating system, allows specially designed tools to examine the structure of the returned ICMP data and determine the likely operating system. The libpcap format is very simple and has gained wide usage. It is however limited in not having nanosecond time resolution, inability to display specific connection details, interface information and packet drop count. A next generation format, PCAP NG was proposed [14] and is currently being developed to overcome the deficiencies.

As far as the above scene is concerned, as a crime investigator initially I would photograph all the related cabinets of CDs and DVDs if available because it will be helpful to have a glimpse about the pile of previous data. Secondly I would take some shots of any available photographic instrument like camera or recorder it will reflect the capacity of work that had been done there. After this I will have photograph of those vicinity where the child pornography had been shoot as evidence to the court to resemble with the issued pictures and the areas (Cornish, 2006).

No, the system should not be shut down because there could be some important evidence which could help investigators to draw some early conclusions about the capacity of such criminal activity and also they get to know the affected children, this will help them to contact with them and find more about the incidence. If the computer is connected with some other computer or network with some computers, this discloses that the activity is being done at massive scale and there could be the lobby or some giant groups behind it. This will clear the directions for investigators to make an early path for ...