Hi guys
Just working on a project to investigate P2P sharing, i have pcap trace file and need to investigate.
Started with Snort -r with p2p rules. Then I am using NetWitness for further analysis.
Whats the actual proper way of starting such an investigation ?
thx in advance )
The proper way to do something like that is to get a warrant, then identify the suspect, then seize the equipment, then examine the equipment.
In the UK you would have already fallen foul of RIPA and be looking at losing your job. In the states you'd run into the age old "an IP address is not a person" problem. I can appreciate you want to learn about the network forensics aspect but this is not how LE works in my experience.
If I were doing this project, I'd start off by making a lab environment and documenting the behaviour of my p2p client as it connects, searches and downloads / uploads files, making particular note of the ports used. Then you can compare your sample data to the data you got from the lab and start drawing conclusions.
Whats the actual proper way of starting such an investigation ?
Start with the goals of your investigation…what are you hoping to achieve or show? Then consider the data that you have available…is it sufficient for you to achieve your goals? If not, why, and what other data would you need?
Based on the data that you do have, have you considered using Wireshark and/or Network Miner?
yes, I have tried wireshark, basically i have to investigate illegal file sharing on the server (i have the VM image of the server) , have to find out
hosts that were involved in file sharing, and to cross-correlate the traces from pcap's with traces from the system.
also what tools would be good to use for this type of investigation on the server.
I assume that i have to look for the protocols that could be used for file sharing…. I have been told that playing pcap file on the snort is a good starting point.