Chapter 9. Incorporating Network Forensics into Incident Response Plans
Information in This Chapter
In traditional computer-forensics settings, the evidence you seek is contained in one or more computers of interest. For network forensics, the evidence may reside in dynamic traffic (as it transits a network), routers, switches, firewalls, intrusion detection systems (IDSs), workstations, enterprise log servers, cell phones, or in the cloud. In addition, you may need to collect information from the network infrastructure (Dynamic Host Configuration Protocol [DHCP], domain name system [DNS], network address translator [NAT]) to complete your ...