A great deal of Chapter 4, Collecting Network Evidence, covered the various methods to obtain packet captures from a range of sources and from a variety of locations. Packet captures contain a great deal of information that is potentially valuable to incident response analysts. Some of this information includes source and destination IP addresses, domains and ports, and the content of communications between hosts. In some instances, incident response analysts are able to reconstruct actual files, such as text documents and images, in these packet captures.
This chapter makes reference to several preconfigured packet captures that are examined. These packet captures are taken directly from http://malware-traffic-analysis.net/ by permission of the author. This site has a number of packet capture exercises, where incident response analysts can practice locating indicators of compromise. It should be noted, though, that these captures may contain malware. Readers should only examine the live packet captures in a properly configured sandbox (see Chapter 12, Malware Analysis for Incident Response) or other system not connected to a production environment.