Traditionally, computer forensic investigations focused exclusively on data from the seized media associated with a system of interest. Recently, memory analysis has become an integral part of forensic analysis, resulting in a new and significantly different way for digital examiners and investigators to perform their craft.
Now another evolution in computer forensics is at hand - one that includes data collected from network devices as well as the from wires themselves. Every day, more and more network-enabled products hit the market. Incorporating network data from those devices during the analytic process is critical for providing a complete understanding of the event under investigation. Even in traditional data-at-rest examinations, the network may hold the only clues left behind by a diligent attacker that has covered his or her tracks.
We’ll discuss how network-based evidence can support traditional data-at-rest computer forensic analysis. Other topics will include the sources and methodologies for collecting network evidence. By knowing what existing data to ask for and what additional data to collect during an investigation, we can provide a more comprehensive analysis of the event at hand.