Same host or different? How can you tell "over the wire"?

[Rodney W. Grimes]

> 
> In message <201803212204.w2LM4G8h023320 at pdx.rh.CN85.dnsmgr.net>, 
> "Rodney W. Grimes" <freebsd-rwg at pdx.rh.CN85.dnsmgr.net> wrote:
> 
> >One thing you could look at is the OS finger printing of nmap,
> >that could look for possible things to diffentiate the hosts.
> 
> Yea, that idea occurred to me.  But this solution has the same problem
> that I just mentioned in another one of my replies in this thread:
> Even if nmap says that two IP addresses have the exact same OS
> signature, that is far from enough to assert that they are both
> under the control of the exact same Bad Actor.

You are not going to prove the "control of the exact same Bad Actor"
without a warrant to search and seize.

You might prove they are 2 different boxes if the nmap finger
print shows a difference, but if they show identical you have
proved nothing.

> You certainly wouldn't want to send someone to prison, or even to
> after-school detention, based on such limited circumstantial evidence.
> 
> >Depending on just what the host is there could be other tale
> >tale signs picked up from "forensic" type of data captured
> >with tcpdump while playing known packet sequences against
> >each host at identical time.
> 
> Such as?
> 
> I'm all ears.

At this point I have to state I am not going to do your
research work for free.  I have given you plenty of free
leads to persue.

> >What you ask I believe could be done, but it non trivial and
> >would require a very good understanding of both forensics
> >and the differing ways that TCP/IP is implemented.
> 
> I like to think that I am a quick learner.  Please proceed with the
> lesson.

The rates for lessons in Forensics start at reasonable enough
amounts, you can contact me off list if you wish to persue that.

... rest deleted ...


-- 
Rod Grimes                                                 rgrimes at freebsd.org