NETSH Packet Capture
NETSH Packet Capture allows network traffic sniffing on Microsoft Windows 7 and newer machines using natively installed NETSH with an EnCase Servlet that has Remediation enabled. Launch the EnScript as no case is necessary and log into your SAFE which will determine if the Remediation flag is enabled and if you have permission to use this feature. Once that is done, you can click the Sniff button to run your NETSH commands on the remote system using the IP that was provide. All results are displayed in the Console View of EnCase after the completion of the command execution. At this point click Cancel to leave NETSH running otherwise set the Export Folder for where the Logical Evidence File should be saved. Also you will want to make sure you stop the packet capture prior to clicking OK as this initiates the file collection based on the default logical file names NetTrace.etl and NetTrace.cab. Microsoft Message Analyzer can be used to review the data or to extract the PCAP contents for review using Wire Shark, Network Miner, Xplico, or etc. Microsoft Message Analyzer Download: http://www.microsoft.com/en-us/download/details.aspx?id=40308 This app was developed by instructors in support of the Guidance Software Professional Development and Training Course offerings. For more information about its use and investigative context, attend one of the following courses: Enterprise Examinations, Host Intrusion Methodology and Investigation, or Cybersecurity and Analytics.
YOU MAY ALSO LIKE