NETWORK FORENSICS, AS YOU FIRST READ back in Chapter 1, deals with evidence that moves across one or more computer networks. It involves capturing, recording, and analyzing network events. Businesses are marketing advanced networking technologies, such as network-attached storage devices, firewalls, and Gigabit Ethernet, to home users today. Therefore, nearly any computer seized will have been used in a network environment of some type.

Network forensics can involve a variety of digital evidence, including information from router, NetFlow, and firewall logs. Forensics can also involve evidence from the logs of Internet service providers (ISPs), intrusion detection systems, and captured network traffic. ...