Most of the time when you are doing different types of forensics work, you analyze different types of data stored in different ways – like hard drives, ram storage, flash and so on. With network forensics it is a bit different, because normally you dont leave any stored data by just using the network. No files are stored and there are minimal of evidence to be collected from just unwanted traffic on the network. Now, what the intruder does once inside the network can leave much evidence, such as data manipulation or theft. But the network side of things, and the investigation of it, does not leave much data to be extracted.
Unless you of course have network logs. And that is where the forensics part of it comes into play, without logs and audit files, there is not really a lot of investigation to do.
And unfortunately, recording network traffic can be result in an enormous amount of log lines. It is estimated that your average business company produces roughly 90 million lines of data traffic every day. Thankfully we have a variety of systems to either help us detect intrusions when they happen (like IDS or Smart systems), but also systems to help us investigate after the incident happened.
But when it comes to network forensics, what is the most important thing to remember? Make sure that you have synchronized time, otherwise there will be no way of knowing when the attack happened, and comparing it to other incidents on the network.