Chapter 24 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Digital Evidence on Physical and Data-Link Layers

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.1 Old Ethernet configuration (modern configurations are conceptually the same).

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.2 Computers on a 10BaseT network plugged into a hub.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.3 Computer A sending data to computer Z.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.4 Ethereal classification of NIC addresses.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FFIGURE 24.5 Summary diagram of TCP/IP separated by OSI layer.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.6 Computers connected at the physical level are vulnerable to eavesdropping.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.7 Ethereal showing packet in “hotmail dmp” file containing the keyword “POST,” corresponding to the act of sending the message through Hotmail.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.8 (A) Using the NetIntercept forensic view to examine network traffic and locate important items such as an “HTTP POST.” (B) Using NetIntercept to view the same packet as in Figure 24.7 containing the “POST” keyword.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 24.9 NetWitness summary view of network traffic.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Hotmail Inbox recovered using Ethereal.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Hotmail Inbox extracted from a tcpdump file and displayed using NetIntercept.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE MIME-encoded attachments containing data in a ZIP file extracted from a tcpdump file and displayed using NetIntercept.