The basics of network forensics consist the definition of what it is as well as the associated parts of it related to the greater forensic umbrella.
network forensics was defined as the branch of digital forensics that relates to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence , and/or intrusion detection. it could also be defined as the capture, recording and analysis of network events to discover source and nature of an attack
Network is also \different from a dead-box forensics. dead box forensics can be defined as a technique that analyzes data at rest after turning off a computer system and making an exact copy of a harddrive. network forensics differ in a few major categories namely that the data is changing in real time which makes cross referencing past events much harder. lack of persistent data storage also makes it difficult to find traces of attacks that occured in the past.
network forensics crime account for a huge market loss hence must be protected for business purposes lest they incur major losses.
7 different evidence types
- real (physical)
- best (produced in court)
- direct (eye witness)
- circumstantial (links with other evidence)
- hearsay (second hand)
- business records ( routinely generated documentation)
- digital (electronic)
OSCAR investigative methodology
- Obtain information
- Strategize
- Collect evidence
- Analyze
- Report
TAARA investigative methodology
- Trugger
- Acquire
- Analysis
- Report
- Action