Week 1
This week, we learned about the introduction of network forensics.
Network forensics is a division of digital forensics. It mainly focuses on a monitor and analyzes network traffic. The purposes are:
- Intrusion Detection/Prevention
- Information Gathering
- Legal Evidence
The difference between the computer and network forensics:
Computer Forensics
•Data is not much change for daily usage
•Evidence is contained within the file system
•Easy to perform a forensically sound acquisition
•Seizing one or several computers would not make a deep impact on the business
Network Forensics
•Data is much changing constantly
•Evidence sometime exists only in RAM
•Most network devices do not have non-volatile storage
•Taking network devices would be problematic
We need network forensics as a part of incident responses to find out when an incident occurred, how long the incident occurred, what sensitive/confidential data was taken, how many systems were affected and question if there any ongoing incident. Network forensics also needed to find the root cause of the incident and to collect evidence to bring justice
The investigative methodologies of network forensics are OSCAR and TAARA. With these methodologies, investigators can perform network forensics and achieve investigation goals.