In this session, we learned about Source of Network-Based Evidence and Principles of Internetworking.

There are many different types of network-based evidence which are:

1. On the wire
2. In the air
3. Switches
4. Routers
5. DHCP Server
6. DNS Server
7. Authentication Server
8. NIDS/NIPS
9. Firewalls
10. Web Proxies
11. Application Server
12. Centralized Log Server
13. Modem

On the wire refers to physical cabling that carries data over the network. There are 3 different tap types which are vampire tap, surreptitious fibre tap, and infrastructure tap.

In the air works as a wireless station to station signals where it checks radio frequency and infrared to obtain management and control frames, access point names, MAC addresses and traffic analysis.

Switches are physical connection between network segments where it can be used to capture and preserve network, and to mirror traffic from one port to another.

As this is the first week, we were introduced to what network forensics actually is. It can be defined as a section of digital forensics, where it’s objective mainly focuses on monitoring and analyzing network traffic with the purpose of information gathering, legal evidence, intrusion detection. Although often confused with computer forensics, network forensics is different with Computer Forensics. In network forensics, the data is changing in real time and the lack of persistent data storage where the evidence sometimes exist only in RAM makes it difficult to find traces of attacks that has occurred before.

Network forensics is used to help identify what data was taken and the systems that were affected, as well as to collect evidence against the attacker. There are 7 different evidence types which are:

1. Real (physical)
2. Best (produced in court)
3. Direct (eye witness)
4. Circumstantial (links with other evidence)
5. hearsay (second hand)
6. business records ( routinely generated documentation)
7. digital (electronic)