finding packets

[thehorse13]

TH - you mentioned you *never* trust tools on the suspected host... and I understand that if a rootkit was installed that it can intercept system calls and other processes so the application or tool running may return false results. What are your opinions of programs like Sysinternal's RootkitRevealer and F-Secures Blacklight?

I have mixed views of such tools. The differentiator being that the effectiveness is decided by the hands of the analyst they're put in.

That said, the kit has to be running before it can do anything. In most cases, a nice forensic CD is sufficient to handle the problem. SLueth comes to mind as well as Helix.

Of course I have to be special and have my own custom tools along with the ultimate in forensics - ENCASE.

[kurokage]

I seemed to have caused some intense conversation, none of which I understand. Anyway.... back on the packets, what if the packet sniffer is no longer on the computer? Is there any way to find the packets then?

[nihil]

Well, even I can answer that one

what if the packet sniffer is no longer on the computer? Is there any way to find the packets then?

No, the odds would be 1000:1 against and that is generous. If someone loaded such a tool and subsequently removed it, you can very, very reasonably assume that most of its traces have been removed as well.

If you had the resources and the inclination you might try loading your periodic back ups onto another machine and analysing them on the off chance that you may have caught them.

Why are you interested in the packets anyway, what do you hope that they will tell you?............isn't it your data anyway?

Mind you, I am talking about a normal corporate/professional investigation.................if it is Federally funded and resourced, we are potentially talking a different ball game.

[kurokage]

Haha, yes, it is my data, but I'm not the user of the infected computer, I'm just on his network. I'm just really paranoid and I don't want HIM seeing my data.

[thehorse13]

Chances are that an end user has no clue how to use or even read a true packet capture.

[preacherman481]

Ok, this is starting to make more sense now. I thought you suspected a sniffer on your own computer or a computer you controlled or had access to.

back on the packets, what if the packet sniffer is no longer on the computer? Is there any way to find the packets then?

Are you saying that you suspect someone else is sniffing the network you're on, and you are wondering if there is a way to find out if any of your personal information is on his/her computer?

But that brings up another question. What makes you think there is a sniffer involved? Please don't take offense, but if the previous posts were not understandable to you, how would you have the knowledge to be aware of such a threat?

[nihil]

OK, that really begs the questions:

1. Who owns the network I mean legally, and administers it?
2. Who owns the computer that you use............legally?
3. Is this supposedly infected machine a laptop, desktop or server? Who owns it?
4. What makes you think that this computer is infected?
5. What is it about "packets" from your machine that are so secret?
6. Why didn't you encrypt the data.
7. If you don't want "him" to see your data, maybe he knows that, and his machine is not infected...........maybe he brought the software in deliberately?
8. Is your computer completely physically secure or do others share it/have access to it?
9. How many others share this network? Why should you be so special?

I will suggest one thing to you, if there is money involved, change your passwords and account details and learn how to do such things securely first.

If you were being monitored and all of a sudden it stops it generally means that whoever it was has got what they want and something nasty is about to happen

[kurokage]

Wow, okay.... First of all, let me say that I PROMISE that I am not some creepy stalker person trying to learn how to do this. I'm not, I swear.

Anyway, I guess I better give a lot more background information. Again, I'd like to state that I really know nothing about computers.

Okay, my "network" is not really a network, its just what my friend was calling it. Its just a bunch of guys sharing a hub connected to the internet.

Okay, so my friend came over and was looking at my other friends computer. He claims to know something about computers, although it could be less than he originally thinks. Anyway, after looking at my friends computer, he started talking about how he thought it might be infected with a trojan and a packet sniffer. He then started telling me about how, since we were connected to a hub, everything I and everyone else connected to the hub do is also sent to the infected computer. Then he stared telling us how the packets it picked up were stored, and how, if my other friend found them, could have access to all of our browsing history, passwords, etc.

I dunno, he just made me really paranoid, so I did a little research, which made me even more paranoid, so I came here to ask. Thank you everyone who is helping me, I'm sorry I'm so dumb.

[brokencrow]

...the idea of incorporating a network packet sniffer into a trojan is an interesting idea.

Whew, a trojan like that would be...a pig. Sniffing sucks up a lot of system resources generally, doesn't it? The capture files would be rather large too unless heavily filtered, yes?

So what would be the point? A keylogger trojan is be a much better tool for lifting a user's data. A nice little log file compared to a packet capture.

[brokencrow]

kurokage, sounds like you could use a router. I've seen hubs hooked up directly to cable modems, which is less than ideal from a security viewpoint. With a setup like that, you're probably pulling your IP directly from your ISP, with your computer fully exposed to the internet (which is ok, but not the best).

Make sure you've got a good firewall in place on your PC. Scan everything on your PC for virii and spyware. Run all your Windows updates.

You're probably ok, most spyware does not spread in the manner described by your friend's friend. Sounds like the guy's blowin' you some smoke...IMHO.