Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

4 cheap options to monitor networks for evidence

Brandon Gregg | Feb. 10, 2010
Investigations manager Brandon Gregg explains how to collect evidence for network investigations on the cheap without damaging the mission at hand.

3. AirpCap card. Level of Expertise: 3 of 5, Covert: 5 of 5, Network: WLAN only.
I'm placing this option on here for more of an educational purpose. In the corporate setup the SPAN port will be your best setup for monitoring Wi-Fi connections but you never know. The AirpCard is a USB-based tool that works much like a police scanner. Instead of receiving police traffic it can capture and view network traffic traveling between the target's laptop and the Wi-Fi router.

This tool is very useful in TSCM, penetration testing and other not-so-legal exploits, making hackers in love with it. Another negative is its price. It will cost you about $350.

4. ARP poisoning. Level of Expertise: 5 of 5, Covert: 3 of 5, Network: LAN and WLAN.
ARP poisoning is a handy exploit that allows you to confuse a LAN- or WLAN-networked computer connected on your network into believing you are the router and letting you capture the target's data as it passes through your computer to the real router.

This is often called a man-in-the-middle attack and is often used by hackers at coffee shops to steal your information. Although this can be fairly easy to set up without IT support, there is a chance of crashing your corporate network if done wrong. If you are willing to take the risk head over to and down the powerful program "Cain and Abel."

There are plenty of short YouTube videos that can get you running in minutes.

Now that you have picked your tool to access the network information between your target and the Internet you need to capture and save the data. The best way to forensically capture the data packets of information is using the open source program Wireshark.

Wireshark is the most unsurpassed network tool on the market. After installing Wireshark you are only a few steps away from capturing data. Start by selecting capture/interfaces and depending on the type of monitoring you are doing above you should see your network card already transmitting and receiving packets. Before proceeding, press the options button and select the browse button to name the captured Internet traffic and its saved location. I recommend saving the file to an external drive because Internet traffic can add up fast. Also select "use multiple files" and "next file every 250 megabytes." This prevents errors from destroying days of captured data and helps in reviewing it later.

Once you are good to go press start and watch the data scroll across your screen. For practice you can also skip the first step of monitoring and capture your own Internet traffic to get comfortable with Wireshark and the next few tools.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.