This session will address the techniques used to investigate network-based intrusions, especially those originating from the public Internet. Emphasis will be on techniques that provide an acceptable chain of evidence for use by law enforcement or in anticipation of civil litigation. We will cover back-tracing, forensic tools, end-to-end tracing and evidence collection and preservation as well as the forensic use of RMON2-based tools for documenting the path of an attack.