Chapter 16: Digital Evidence on Physical and Data-Link Layers

Overview

The physical and data-link layers provide the foundation for everything else on a network. The physical layer is the medium that carries data - such as the cables, radio waves, microwaves, or lasers. The data-link layer joins a computer with the physical layer, and includes the transmission method (e.g. CSMA/CD) as mentioned in Chapter 14. Network Interface Cards (NICs) are part of the data-link layer - connecting computers to the network cables. Each NIC has an unique address (MAC address) that can be used to determine which host was used to commit a crime.

Network eavesdropping is the most common approach to gathering digital evidence on the data-link and physical layers. With the help of a network monitoring tool (a sniffer), investigators and criminals can capture large amounts of information as it travels through a network. This approach to collecting network traffic is comparable to making a bitstream copy of a hard drive - a sniffer can capture every byte transmitted on the network. As with any bitstream copy, files and other useful digital evidence can be extracted from network traffic using specialized tools. For example, digital investigators can use a sniffer to monitor a computer intruder or child pornographer on a network and recover toolkits, images, e-mail attachments, IRC communications with cohorts, and anything else the offenders transmitted on the network.

Equipment and programs for collecting digital evidence on the physical layer are discussed in this chapter. Although this network traffic resides at the physical layer, it contains data relating to the other network layers like TCP/IP and HTTP traffic (recall Figure 14.12). Therefore, to interpret captured network traffic it is necessary to have a solid understanding of the network, transport, and application layers. Tools for interpreting network traffic are presented in this chapter and the other network layers are discussed in more detail in Chapters 17 and 18.

Routers and other network devices also store data relating to the data-link layer such as MAC addresses. These addresses can indicate which computer was used to commit a crime. Although a MAC address is usually directly associated with the NIC in a computer, on many systems it can be changed to any value. This chapter describes where this information is stored and how it can be collected.

The most effective way to learn about the data-link layer as a source of evidence is to examine a specific example in detail. This chapter describes Ethernet in detail to provide a sense of how a network technology functions. Ethernet is a good example because it is one of the most widely used network technologies. Also, a familiarity with Ethernet makes it easier to understand how other network technologies operate - the 802.11 protocols are based on Ethernet. To highlight the similarities and differences between Ethernet and other network technologies, Ethernet is briefly compared to Asynchronous Transfer Mode (ATM). ATM is quickly becoming the standard for large-scale high-speed networking.