Deck 24: Digital Evidence at the Physical and Data-Link Layers

The netstat command can be used to obtain the MAC address of a remote computer.

It is necessary to physically tap a network cable to capture the traffic it carries.

Each network packet stored in the tcpdump file is date-time stamped.

MAC addresses can be associated with a particular computer.

Routers use Ethernet addresses to direct data between networks.

It is not possible to use a sniffer when connected to a network via a modem.

A common approach to collecting digital evidence from the physical layer is using a sniffer.

Obtain the MAC address of a computer and describe how you did it.

One of the drawbacks of copying network traffic using a SPANned port is that a
SPANned port copies only valid Ethernet packets.

The tcpdump application can be used to reconstruct TCP streams.

A computer connected to the Internet via a dial-up modem can eavesdrop on network traffic from other computers that are dialed into the same Internet service provider.

Describe how a computer obtains the Ethernet address of another computer that it wants to communicate with.

Unlike ARP cache, ATMARP is stored on the individual computers.

DHCP can be configured to assign a static IP address to a particular computer every time it is connected to the network.

By default, tcpdump captures the entire contents of a packet.

What is a "gratuitous ARP request" and why is it dangerous?

One key point about MAC addresses is that they do not go beyond the router.

What information is contained in the padding of an Ethernet frame?

It is possible to obtain file names from network traffic as well as the file contents.