Abstract
We introduce a new protocol designed to assist in the forensic investigation of malicious network-based activity, specifically addressing the stepping-stone scenario in which an attacker uses a chain of connections through many hosts to hide his or her identity. Our protocol, the Session TOken Protocol (STOP), enhances the Identification Protocol (ident) infrastructure by sending recursive requests to previous hosts on the connection chain. The protocol has been designed to protect user's privacy by returning a token that is a hash of connection information; a system administrator can later decide whether to release the information relating to the token depending on the circumstances of the request.