For many years forensic investigators and IT personnel alike have used tools like NMAP (originally developed by Gordon Lyon pseudonym Fyodor Vaskovich), netcat, ping, traceroute, telnet and many other tools to discover the layout, configuration and in some cases vulnerabilities existing in enterprise network environments. Traditionally, these tools have three basic capabilities a) To discover hosts that exist within a network; b) identify active ports within the identified hosts; and c). Identify the specific operating systems and version of the identified hosts.

Within a forensic context, tools and technologies are emerging that allow the “forensic” mapping of enterprise networks. Much like photographing a physical crime scene, these tools attempt to identify at a moment in time the state of the network through the lens the Internet Protocol (IP). They now attempt to even delve deeper into networks in order to better understand the network, configuration, hosts, topology and vulnerabilities that exists. For example, they not only identify hosts in the traditional sense, but also identify routers, firewalls, network switches, printers, gateways, domain controllers, application servers, etc. In addition, when provided with administrative credentials, these tools probe deeper to identify shares, user accounts, running services along with their current state, installed drivers, mounted file systems (including temporal file systems such as USB, Firewire or Remote Network based file systems), last boot times, logged on users and even known Trojan / rootkit / key logger and botnet ports).

One of the key aspects of these new additions to the forensic investigator toolkit is the preservation of the snapshots within a digital evidence bag or case files facilitating the use of these snapshots as evidence within civil or even criminal cases. This is a critical aspect of forensic based scanners in order to both correlate the time of the capture and to preserve the evidence. Based on the size of the enterprise, network or subnet to be snapped, the time to collect a full picture can range from a few seconds to several hours. Most of the time, investigators are able to derive a more specific aspect of the network to discover (by address range, subnet range or host domain). The forensic captures are typically taken on a one-shot basis prior to other live or postmortem investigative actions, but in some cases are repeated in order to evaluate the changing nature of the network. For example if a host is turned off, the forensic scanner will assume that the IP address is dark, whereas on a subsequent scan the host may appear if it is turned on or rebooted.

Performing a forensic discovery of an enterprise network prior to investigations may reveal key elements that otherwise may be overlooked. These network maps, along with a large amount of metadata associated with each node, can provide evidence that is likely to be crucial in unwinding malicious or criminal activity. Executing such discoveries require well vetted tools, experienced and trained investigators and skilled examiners that analyze these results to develop hypothesis and execute other investigative strategies and actions.