A digital forensics expert will sooner or later deal with evidence from network infrastructure and remote endpoints. In the literature, this is commonly referred to as network forensics and Internet forensics. Whereas network forensics relates to the examination of infrastructure to a large extent under the control of the investigator (e.g., an internal company network), Internet forensics relates to the examination of infrastructure out of one's control, such as servers in other countries. While many techniques are similar in both cases, this chapter focuses on forensic examination of artifacts found on and through the Internet.

Internet forensics applies to both investigations of crimes committed on the Internet and investigations of crimes committed with the Internet. The former includes crimes such as computer intrusion, denial-of-service attacks, and bank fraud. The latter includes crimes such as identity theft, extortion, and money laundering. Furthermore, because of the networked nature of the Internet, we essentially have three crime scenes to consider during our examinations: the adversary, the victim, and the infrastructure between them.

A forensic investigator will often have access to one environment, either that of the perpetrator or that of the victim. In the term ‘environment’, we include both endpoint computers, as well as the local network they are connected to. The investigator will ...