Chapter 17: Digital Evidence at the Network and Transport Layers

Overview

For a communication system to work it must have an addressing mechanism. Often, there is also a need for some form of verification that a message has reached its destination. Take a postal service as an example. Addresses are used to direct letters and, when necessary, the postal service will inform the sender when a letter has been delivered. Similarly, computer networks require an addressing scheme and sometimes a method for confirming that information has been delivered. The network and transport layers are responsible for these important aspects of computer networks.

Activities on the network and transport layers generate information that is often critical in an investigation. Log files contain information about activities on the network, when they occurred, and the addresses of the machines involved. State tables contain information, including IP addresses, about current or very recent connections between hosts. The IP addresses in log files and state tables can be used to determine the point of origin of a crime, thus leading investigators to likely suspects. Additionally, these sources of digital evidence are useful for investigative reconstruction and are crucial for establishing the continuity of offense.

Processing and analyzing evidence on the network and transport layers is like digging into the glue that holds a network together. This digging can turn up a lot of information but you have to be willing to roll up your sleeves and get your hands dirty. In other words, you have to become familiar with the technical details of these layers to take advantage of them as a source of digital evidence.

To understand how the networks and transport layers work it is helpful to examine a specific example. TCP/IP is a good example because it is the most commonly used implementation of the network and transport layers - it is a fundamental part of the Internet. This chapter provides an overview of how TCP/IP and related systems, such as the Domain Name System, work. This chapter also describes how TCP/IP can be involved in crimes and discusses how forensic science can be applied to digital evidence on the network and transport layers. Analogies are used to clarify technical concepts and many minute details are omitted for the sake of simplicity. References are provided at the end of the chapter for investigators wishing to learn more about TCP/IP.

In addition to describing TCP/IP in detail, this chapter provides a brief overview of cellular data networks. Cellular phones and other hand-held devices can be used to access the Internet and they depend on computer networks that are similar to the Internet in many respects. These similarities are emphasized to enable investigators to generalize their knowledge of the network and transport layers and use that knowledge to understand other internetworks.