Chapter 14: Network Basics for Digital Investigators

Overview

Until recently, it was sufficient to look at individual computers as isolated objects containing digital evidence. Computing was disk-centered - collecting a computer and several disks would assure collection of all relevant digital evidence. Today, however, computing has become network-centered as more people rely on e-mail, e-commerce, and other network resources. It is no longer adequate to think about computers in isolation since many of them are connected together using various network technologies. Digital investigators examiners must become skilled at following the cybertrail to find related digital evidence on the public Internet, private networks, and other commercial systems. An understanding of the technology involved will enable digital investigators to recognize, collect, preserve, examine and analyze evidence related to crimes involving networks.

When a crime just involves e-mail, an understanding of network protocols is useful but not essential - digital investigators might only require a basic understanding of e-mail to perform an effective investigation. However, most crimes involving networks require digital investigators to be familiar with the underlying technology. Sources of digital evidence on networks include server logs, contents of network devices, and traffic on both wired and wireless networks. An understanding of these technologies is necessary to track down unknown offenders via networks and attribute criminal activity to them. For instance, to investigate computer intrusions effectively, a solid understanding of TCP/IP and the operating system(s) involved is required. At the very least, digital investigators need a basic understanding of networks to interpret digital evidence found on personal computers such as e-mail, Web browser history, and file transfer.

When digital investigators do not have access to a key computer, it is necessary to reconstruct events using only evidence on networks. In a number of cases, sexual predators have persuaded their victims to destroy evidence by removing and disposing of their hard drive before leaving their home to meet the offender. Sources of evidence on the Internet that may reveal whom the victim was communicating with include e-mail and log files on the victim's Internet Service Provider's systems and backup tapes. Additionally, mobile telephone records may help determine whom the victim was communicating with and where he/she went. When a suspect claims that he/she does not have a home computer, credit card billing records, telephone records, and ISP logs may show that the suspect has a home computer and may contain clues of its current whereabouts.

This chapter provides an overview of networks and goes on to describe how these different networks are joined together to form the seemingly homogeneous Internet.^[1] This chapter ends with an overview of crimes that occur at different levels of networks. Subsequent chapters go into more detail, discussing network layers.

^[1]The word internet is used in lowercase when referring to any connection of dissimilar networks using an internet protocol like TCP/IP The Internet (capitalized) refers specifically to the global network of interconnected networks.