In This Chapter

If computer forensics is a new field in the computer business, network forensics is in its infancy. Two changes have ignited the field of network forensics: Network forensics technology and its methods are now well understood by more than just hard-core network administrators, and storage device costs are affordable. Terabytes of data can now be stored on a network without breaking the storage bank.

Networks are high-volume traffic connections, which makes network forensic investigations challenging. Finding the right network forensic tool for your specific situation may be difficult, but it's not impossible if you have the right guidance. Working with network forensic tools is a complex process, but they make your job easy (or at least easier) by automating most data acquisition tasks. You still need to know, and the judge expects you to know, the general principles behind the use of these complex forensic tools.

Just as computer forensics has its roots in data recovery, network forensics is rooted in network security and intrusion detection. Network forensics deals with data that changes from millisecond to millisecond. Investigations of cyberattacks or intrusions are network forensic investigations. The major challenge you face is how to contain the intrusion while preserving the evidence for later ...