Digital forensics is still a young science. That newness, coupled with the fast-changing world of computer technology, has resulted in a digital forensics taxonomy that is poorly defined and confusing to computer security experts and law enforcement alike.
Network forensics is a sub-discipline of digital forensics, dealing with evidence that passes over a computer network. Network forensics can be applied to network security (checking organisational networks for vulnerabilities) or within traditional law enforcement and judicial contexts.
It's anticipated that in the near future, network forensics will be a common component of trial cases. As a result, having credible standards for network forensics is vital to the continued speed and fairness of the judicial system.
As forensic evidence, network data is slippery to collect: It does not reside with its sender or its receiver. Usually it is archived only by network service providers or by law enforcement. Who owns such evidence is one of numerous legal dilemmas created by the lack of standards. These issues could be resolved if standards bodies created formal taxonomies, procedures and tools for network forensics. The computer security community should assist in the creation and maintenance of formal standards. And the most expedient way to implement these standards may be to use proprietary tools rather than open source software or freeware.
In the absence of formal network forensics standards, many de facto standards and best practices have been implemented. In fact, de facto standards have been in use since network forensics has been part of the corporate and legal landscape.
The most general practices in network forensics concern preservation, identification, extraction, documentation and interpretation. Each component of these practices is broken down into smaller, common-sense procedures. For instance, the preservation best practice recommends working in teams and collecting maximum amounts of data. There's also an evidence-collection chronology best practice: Focus on network danger first, then collect the data. Although these practices represent a fraction of the network security corpus, they do signify a core knowledge base.