To assure accurate and meaningful results at the end of a network forensic exercise, you, as a forensic investigator, must follow a rigid path through a methodological framework. This path is shown in the following diagram:
Obtain, Strategize, Collect, Analyze, and Report (OSCAR) is one such framework that ensures appropriate and constant results. Let's look at each phase from a network forensics point of view:
- Obtain information: Obtaining information about the incident and the environment is one of the first things to do in a network forensics exercise. The goal of this phase is to familiarize a forensic investigator with the type of incident. The timestamps and timeline of the event, the people, systems, and endpoints involved in the incident—all of these facts are crucial in building up a detailed...