Network Forensics: Lesson Plans
A forensic investigator who is analyzing computer equipment for possible evidences, will search different locations for possible traces. We described in other chapters the types of evidences that can be found in disks or operating systems. There are some network or Internet traces that can be found in Internet browsers’ history. From an OSI perspective, such information is typically in the higher layers (i.e. layer 7). Network forensics focus on searching, monitoring and/or analyzing network components, (i.e. switches, routers, firewalls, wireless, Intrusion detection/prevention systems IDS/IPS) for possible forensic evidences. In many cases, it is important to correlate some information from a host with information collected from the network to make sure that a host or some of its artifacts were not tampered by suspect or intruders.
We will divide this chapter based on those five previously mentioned components.