Identifying sources of evidence
For any successful investigation, it is extremely important to successfully collect, collate, preserve, and analyze the evidence.
To begin with, we need to identify the sources of evidence for any investigation.
The sources of evidence can be easily divided into the following two categories:
Evidence obtainable from within the network
Consider the following image:
This can include the following:
Evidence from network & device logs:
A log is a record of all the activities and outcomes performed by a device or by outside agents on a device. Thus, all the incoming or outgoing events are logged on a system. Logs are a crucial part of the investigation ecosystem.
Devices such as firewalls, intrusion prevention and detection systems, anti-virus servers, and so on generate logs. Other logs include operating system event logs, application logs, and so on.
Network traffic:
As discussed in the previous chapter, network traffic is transmitted in packets. The data is split...
