Network forensics

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information, making network forensics often a pro-active investigation.

Network forensics generally has two uses:

The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. 

The second form of Network forensics relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. 

Two systems are commonly used to collect network data:

"Catch-it-as-you-can" - This is where all packets passing through certain traffic point are captured and written to large storage with analysis being done subsequently in batch mode. 

"Stop, look and listen" - This is where each packet is analyzed by a faster processor in a rudimentary way in memory and only certain information saved for future analysis.

Types

Ethernet – Applying forensic methods on the Ethernet layer is done by eavesdropping bit streams with tools called monitoring tools or sniffers. The most common tool on this layer is Wireshark (formerly known as Ethereal). It collects all data on this layer and allows the user to filter for different events. With these tools, websites, email attachments and more that have been transmitted over the network can be reconstructed. An advantage of collecting this data is that it is directly connected to a host. If, for example, the IP address or the MAC address of a host at a certain time is known, all data for or from this IP or MAC address can be filtered.

 TCP/IP – For the correct routing of packets through the network (e.g., the Internet), every intermediate router must have a routing table which is the best source of information if investigating a digital crime. To do this, it is necessary to reverse the sending route of the attacker, follow the packets, and find where the computer the packet came from (i.e., the source of the attacker).

Another source of evidence on this layer is authentication logs. They show which account and which user was associated with an activity and may reveal who was the attacker or at least sets limits to the people who come into consideration of being the attacker.

The Internet – The internet can be a rich source of digital evidence including web browsing, email, newsgroup, synchronous chat and peer-to-peer traffic.

Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyze (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.