As this is the first week, we were introduced to what network forensics actually is. It can be defined as a section of digital forensics, where it’s objective mainly focuses on monitoring and analyzing network traffic with the purpose of information gathering, legal evidence, intrusion detection. Although often confused with computer forensics, network forensics is different with Computer Forensics. In network forensics, the data is changing in real time and the lack of persistent data storage where the evidence sometimes exist only in RAM makes it difficult to find traces of attacks that has occurred before.
Network forensics is used to help identify what data was taken and the systems that were affected, as well as to collect evidence against the attacker. There are 7 different evidence types which are:
- Real (physical)
- Best (produced in court)
- Direct (eye witness)
- Circumstantial (links with other evidence)
- hearsay (second hand)
- business records ( routinely generated documentation)
- digital (electronic)