Network Evidence Collection

The traditional focus of digital forensics has been to locate evidence on the host hard drive. Law enforcement officers interested in criminal activity such as fraud or child exploitation can find the vast majority of evidence required for prosecution on a single hard drive. In the realm of incident response though, it is critical that the focus goes far beyond a suspected compromised system. For example, there is a wealth of information to be obtained within the points along the flow of traffic from a compromised host to an external C2 server.

This chapter focuses on the preparation, identification, and collection of evidence that is commonly found among network devices and along the traffic routes within an internal network. This collection is critical during an incident where an external threat source is in the process of commanding internal systems or is in the process of pilfering data out of the network. Network-based evidence is also useful when examining host evidence as it provides a second source of event corroboration, which is extremely useful in determining the root cause of an incident.