Connecting computers together is inherently risky. An individual can gain unauthorized access to a distant network. Anyone can intercept transmissions between networks. Additionally, connecting networks enables individuals, including criminals, to communicate in ways that were not possible before, resulting in a new set of problems. However, for every disadvantage there is an equal and opposite advantage. With the proper authority and precautions, digital investigators can gain access to and collect evidence from distant networks. Digital investigators can intercept digital evidence as it travels over a network, and computer networks enable digital investigators to communicate with each other and observe criminal activity and communication like never before.
The ultimate challenge for digital investigators is to follow cybertrails swiftly and thoroughly to find pockets of evidence before they are lost forever. This is challenging not only because evidence on a network is distributed and dynamic, but also because every network is different with unique combinations of hardware and software. Many networks have grown by a process of accretion, laying new technologies on top of old in a fairly haphazard manner. The result is almost organic: an entity that often seems to have a mind of its own. By learning how computer networks function and how forensic science can be applied to computer networks, we can take advantage of digital evidence and address the growing problem of cybercrime. Without an understanding of where information can be found on networks, digital investigators are guaranteed to waste a significant amount of time and are likely to lose valuable digital evidence. Additionally, without an understanding of how networks function, forensic network analysts will have a harder time making sense of any data they obtain from a network.
However, in some cases, even the people who are responsible for maintaining a network do not understand it completely. Therefore, it is unrealistic to expect an investigator to have full knowledge of a network before, or even after, an investigation. The most that can be expected of an investigator is to understand how computers and networks function in general and to have a familiarity with a variety of technologies and operating systems. Having a solid understanding of how networks function in general will enable an investigator to understand many different types of networks and will help determine when and what kind of expert is needed.