Network forensics
Introduction
Network forensics refers to the monitoring and analysing of data on a computer system. This is done to help flag up when a network attack is occurring, to gather information as part of a police or security service investigation or to monitor the network, to ensure it is running optimally. Data being analysed is volatile i.e. it is there one second and gone the next, so network forensics methods have to have some way of capturing packets of data. There are two main approaches to network forensics.
Catch-it-as-you-can
This approach to network forensics involves copying all the packets of data that pass through a particular point and saving them to storage, where they can be analysed later. Lots of storage is needed for this approach and it is particulaly invasive, as it records all the information in all the packets, including user data.
Stop, look and listen
This approach looks at each packet as it passes a point and carries out a brief analysis of it. Only those that look interesting are saved to storage, where they can be analysed further. This method uses less storage than the catch-it-as-you-can approach but needs very high processing capabilities to cope with the volume of packets that must be analysed.