Network forensics is the analysis of network traffic to collect information used in internal, as well as legal, investigations. In addition to being used for investigative purposes, network forensics is also a tool for intruder detection and interception utilized for system security. There are a number of techniques in use to intercept data, using a variety of devices to either collect all data that moves through a network or identify selected data packets for further investigation. Computers with rapid processing speeds and high volumes of storage space are needed for accurate and productive forensic analysis of a network.
As computer systems moved increasingly toward networks in the 1990s and home Internet became ubiquitous in many communities, interest in network forensics increased and numerous companies began manufacturing products and offering services in the network forensics industry. Internet service providers, law enforcement, and security companies all use these tools, and it is also employed by information technology staff for security in facilities where sensitive information is handled.
In network forensics, as data moves across a network, it is captured and analyzed. Analysts look for any unusual and suspicious activity and can identify particular computers or people of interest for deeper investigation. In the case of law enforcement, investigations may be conducted for the purpose of gathering evidence to be used in court, as well as ongoing investigations. Internal investigations may utilize network forensics to identify sources of information leaks and potential security compromises in a system.
Intruder detection with network forensics can be part of a security scheme for a company. Automated systems look for suspicious traffic and alert security personnel, and in some cases, such systems may automatically intervene to block access to sensitive information or to kick people off the network altogether. This proactive approach to security allows computer networks and systems to respond dynamically to threats.
Governments started pushing for increasing access to computer networks for the purpose of accessing and analyzing data in the 2000s. The development of wire-tap compliant devices and systems was advocated by some law enforcement agencies with the goal of using network forensics to identify potential security threats, ranging from terrorist activity over computer networks to evidence of criminal activity. Criminals turned to the Internet for organizing offline activities, as well as conducting attacks over networks in the 1990s and many governments felt powerless to interdict information and respond without a broad framework for information interception in place.