Yep but, the point here is in the topography of the network, as basically, there should be NO network ('device not connected') in a first place, then you have people that set ups local networks within the buildings (LAN), outer networks in big city probably (MAN), and the uplink to the 'internet' (WAN)
We should presume that, all of the sites where configured to be in the same networks, address classes, subnets, routes, etc, but this is a high complexity thing to do, and even if they did it (DS), you still have a problem: How you got legally access to TAP in the network and SNIFF the data?
Same applies if there was an upper level carrier ( ex standard ISP, thing i hope not ), if they had a TAP in their datacentres and somehow managed to sniff the various XP from there, still, legally and forensically has no value, opposite, would invalidate the data (as a private citizen that's high classified data, plus you would have had to hack into something, and other stuffs)
Thing would be, if there was a hidden company throw in under an EO or some special right has been given in the shadows, in that case if they have legally the right to do it, it's another thing, but still, you would use that data in courts, you wouldn't disclose the proofs with the world
Last thing is, to understand how a capture is done within the topology, you need to understand also how the www and networks are made, ex, he claims that he has the IP address of the attackers, but that has no value, an IP could be disguised in many ways, VPNs, Proxies, Cloud pools, Botnet, etc, and also the data he has, depends if that's encrypted or not, as you need anyway to have a corresponding action somewhere else (the 'packets' it's nothing else than commands, strings, values, etc, being encapsulated and sent, you need to relate it to the underlying system, ex you can see an HTTP or HTTPs packet (breaking down SSL with a MITM and downgrade), like a form data (login let's say), when you deep down in the packet, even if you can see it in clear text, you will see something like ID=userID or a full string id.loginID=[userID]&etc... (pseudocode, nothing real, just to give an example, as it depends on which type of packet / protocol it is and what is the content etc)
So let's say i can see a call incoming from an IP i'll say it's from China, as you see, depends on how the whole software things works after, it may be a login via UI (Dominion had the 'you switch folder' thing), or was a SQL injection on the database? O was just some kind of exploit that causes an exception or something to allow a higher level takeover? Understood this, you need to match it with the systems / networks logs, so normally a judge if you can proof an a similar attack, would ask the other side to provide the logs (systems, routers, switches, etc etc until the top level network/uplink), so that they can relate and match it with what happened on the system (i heard about logs with over 36k entries used to cover the tracks, in that case they can just proof that something was done to hide the truth)
I could even proof someone was flooding my servers with ping namp ddos rpc and whatever else, but if i can't proof they breached in and did something on my systems, there is nothing that i can do (Normally, should be the victim who has to proof an attack, with the help if you want of external forensic and specific cybersec companies, not a third entity in the middle on his own will)
Hope you got the point, it's still more complex as forensics in IT are tricky, but should give an idea
PS: to be clear, i'm not dooming, i just like to be realistic
Yep but, the point here is in the topography of the network, as basically, there should be NO network ('device not connected') in a first place, then you have people that set ups local networks within the buildings (LAN), outer networks in big city probably (MAN), and the uplink to the 'internet' (WAN)
We should presume that, all of the sites where configured to be in the same networks, address classes, subnets, routes, etc, but this is a high complexity thing to do, and even if they did it (DS), you still have a problem: How you got legally access to TAP in the network and SNIFF the data?
Same applies if there was an upper level carrier ( ex standard ISP, thing i hope not ), if they had a TAP in their datacentres and somehow managed to sniff the various XP from there, still, legally and forensically has no value, opposite, would invalidate the data (as a private citizen that's high classified data, plus you would have had to hack into something, and other stuffs)
Thing would be, if there was a hidden company throw in under an EO or some special right has been given in the shadows, in that case if they have legally the right to do it, it's another thing, but still, you would use that data in courts, you wouldn't disclose the proofs with the world
Last thing is, to understand how a capture is done within the topology, you need to understand also how the www and networks are made, ex, he claims that he has the IP address of the attackers, but that has no value, an IP could be disguised in many ways, VPNs, Proxies, Cloud pools, Botnet, etc, and also the data he has, depends if that's encrypted or not, as you need anyway to have a corresponding action somewhere else (the 'packets' it's nothing else than commands, strings, values, etc, being encapsulated and sent, you need to relate it to the underlying system, ex you can see an HTTP or HTTPs packet (breaking down SSL with a MITM and downgrade), like a form data (login let's say), when you deep down in the packet, even if you can see it in clear text, you will see something like ID=userID or a full string id.loginID=[userID]&etc... (pseudocode, nothing real, just to give an example, as it depends on which type of packet / protocol it is and what is the content etc)
So let's say i can see a call incoming from an IP i'll say it's from China, as you see, depends on how the whole software things works after, it may be a login via UI (Dominion had the 'you switch folder' thing), or was a SQL injection on the database? O was just some kind of exploit that causes an exception or something to allow a higher level takeover? Understood this, you need to match it with the systems / networks logs, so normally a judge if you can proof an a similar attack, would ask the other side to provide the logs (systems, routers, switches, etc etc until the top level network/uplink), so that they can relate and match it with what happened on the system (i heard about logs with over 36k entries used to cover the tracks, in that case they can just proof that something was done to hide the truth)
I could even proof someone was flooding my servers with ping namp ddos rpc and whatever else, but if i can't proof they breached in and did something on my systems, there is nothing that i can do (Normally, should be the victim who has to proof an attack, with the help if you want of external forensic and specific cybersec companies, not a third entity in the middle on his own will)
Hope you got the point, it's still more complex as forensics in IT are tricky, but should give an idea
PS: to be clear, i'm not dooming, i just like to be realistic