This week, we learned about the sources of network-based evidence such as:

• On the wire: physical cabling that carries data over the network, can provide real time network data through wire tapping .
• In the air: wireless signals between stations(radio frequency, infrared), can gather Access Points and Mac addresses.
• Switches: physically connect network segment, can capture and preserve network traffic.
• Routers: connect traffic on networks or subnets, can function as packet sniffer, intrusion detection.
• DHCP Server: assigns IP addresses automatically to LAN stations, can gather IP addresses and MAC address of requesting device.
• DNS Server: map IP address to host names, create timeline of suspect activity.
• NIDS/NIPS: monitor real time network traffic, provide timely information.
• Centralized Log Server: combine event log from various sources, can identify and respond to network security events, save data if one server is compromised, etc.

Internetworking is the process of connecting different networks using devices such as routers to ensure networks owned and operated by different entities can communicate together using the Internet Routing Protocol and common data communication.

The Internet Protocol Suite that forensic investigators must know is the TCP/IP Model which consists of 4 layers: Application, Transport, Internet, and Network Access. they must also have clear understanding of flow record analysis, packet analysis, and web proxy dissection.