The best possible outcome during evidence acquisition is when there is no footprint left behind during the acquisition, and the evidence acquired are verified by cryptography means such as md5, sha512, etc.

Physical interception is capturing packet in the wire where packet normally transmitted from. There are several tools available for this:
– inline network tap. When computer connected to access point(AP) are connected with other devices trying to connect with the same AP, the packet from the devices will naturally go through the computer.
– vampire tap. It is used to directly interfere with the wire and read the data from the wire.
– induction coil. This is not available to public.
– fiber optic glass. This work similarly to inline tap.
Radio frequency, hub and switch can also be used to capture packet traffic from devices connected to them.

There are several software that can help with capturing and sniffing packet traffic:
– wireshark
– tcpdump
– ngrep
– nmap
tcpdump is unix tool that work similarly to wireshark. It is used for capturing network traffic of a period of time. Common command for tcpdump:
– tcpdump -D to list out all possible network interfaces
– tcpdump -i interface list all packet captured from the specified network interface
– tcpdump -i interface -w filename.pcap to save the packet captured into pcap file
wireshark is the GUI version of tcpdump as it work similarly as tcpdump.

Common interfaces for active acquisition:
– console
– SSH
– telnet
– SNMP
– etc