Defining network forensics

What exactly is network forensics?

As per National Institute of Standards and Technology (NIST), Digital forensics, also known as computer and network forensics, has many definitions. Generally, it is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.

Refer to http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf for more information.

As per WhatIs.com, network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.

Broadly speaking, network forensics, in most people's perception, involves the CIA process. In this case, CIA stands for the following:

• Capture (capture packets)
• Identify (identify packets based on certain filtering criterion, such as date and time)
• Analyze (both known and unknown packets to understand what's going on)

The following image illustrates this:

Broadly speaking, network forensics is the subset of digital forensics that deals with the investigation of events and activities related to digital networks. This involves monitoring and capturing network traffic and its related data from devices on the network with the objective of gathering evidence in a manner that is acceptable in the court of law.