16.6 Summary

The physical and data-link layers are one of the richest sources of digital evidences on a network. Data-link layer addresses (MAC addresses) are more identifying than network layer addresses (e.g. IP addresses) because a MAC address is usually directly associated with the Network Interface Card in a computer whereas an IP address can be easily reassigned to different computers. Eavesdropping can provide a large amount of evidence that can give investigators a detailed view of what a criminal is doing. Also, data captured using a sniffer can be very useful for reconstructing a crime or verifying that other sources of digital evidence contain accurate information. For example, if the accuracy of log files that summarize events is in doubt, data captured using a sniffer can be used to corroborate entries in the logs.

Until recently, logs of activities at the physical and data-link layers were rarely kept. Logging every piece of information that passes through a network, including all of the ARP requests and replies, can result in very large log files. However, as disk space becomes cheaper and monitoring tools like Argus developed, more organizations are retaining such logs. Without these kinds of logs, it is more difficult to obtain digital evidence from the physical and data-link layers because the majority of the data are transient. The ARP table on most computers only keeps entries for 20 minutes, DHCP database entries are regularly overwritten, and data traveling through the network is only available for capture for a fraction of a second.