Abstract
In this thesis, a new protocol is presented, the Session Token Protocol (STOP) that can assist in the forensic analysis of a computer involved in malicious network activity. It has been designed to trace attackers who log on to a series of hosts to hide their identity. The protocol utilizes the Identification Protocol (ident) infrastructure and improves its capabilities and user's privacy. the STOP protocol saves user- and application-level dataassociated with a requested TCP connection and returns a random token. The user- and application-level data are not revealed until the token is returned to the local administrator. A trail of tokens can be created by sending a traceback request to the previous host from which the user has connected. The previous host will save the appropriate data, return a token, and send a new traceback request. This allows an incidents investigator to trace attackers to their home systems, but does not violate the privacy of normal users. This thesis also describes how the new protocol was implemented on three platforms.