The things learned from this session:
- The definition and purpose of network forensics. Network forensics basically focuses on the analysis of the monitored network traffic. The purposes are for intrusion detection/prevention, information gathering, and the collection of legal evidence.
- Some of the differences between computer and network forensics. The first difference is that the data usually changes constantly when dealing with cases of network forensics. This is not the case in computer forensics. Moreover, in network forensics, the data is usually stored in volatile memory such as RAM, making it difficult to acquire evidence. Lastly, seizing network devices may prove to be problematic for an organization as it may affect other devices as well. On the contrary, in computer forensics, taking a computer won’t really result in a company being negatively affected. The categories of evidence include the real and best evidence. Some examples of real evidence are the murder weapon, fingerprint, physical HDD, etc., while examples of best evidence include a photo of a crime scene, a copy of the signed document, etc.
- The two types of investigative methods. The first one is OSCAR and the second one is TAARA. OSCAR stands for obtaining information, strategize, collect evidence, analyze, and lastly, report while TAARA stands for the trigger, acquire, analysis, report, and action.