HOST IDENTIFICATION

During an investigation, analysts must determine which hosts were compromised. In addition to matching IP addresses to MAC addresses and correlating them with the asset inventory (if available), analysts can use the following protocols to identify infected hosts:

• Dynamic Host Configuration Protocol (DHCP) traffic

• NetBIOS (NBNS) traffic

• Kerberos traffic

These protocols can provide valuable information for host and user identification during the investigation.