Class discussion was on the topic of networking forensics. We discussed the issues with whether network forensics exists, what we mean by the network, and whether network forensics can even exist. As to the physical environment we start by looking for good evidence on the physical domain.
First a paper dealing with wireless signals and getting a “fingerprint” of the actual transmitter. There are many but with IEEExplore access this paper on fractal signal geometry will get you part of the way there. There is also this paper on 802.11b fingerprinting of transmitters.
Second we talked about tools like wireshark and others for getting data off the end points and midpoints for doing network forensics on the copper.
Last a paper detailing how to hack fiber optic cable. As we discussed it is possible and this paper gives some pretty good clues. This would be an excellent project for somebody someday. Hacking the speed of light (pdf).
All of this means we can mess around a bit with the network physical layer, but what kind of evidence will we find there? More importantly after looking at the text chapter is that what the authors were really talking about?
The open question is, “Is there such a thing as network forensics, and if so/not what are you investigating?”
I’m not sure why your are questioning whether network forensics exists or not. Network forensics is something that is being used today, and will be used even more in the future.
You can, for example, read my article titled “Passive Network Security Analysis with NetworkMiner” in (IN)SECURE Magazine #18. Or why not visit http://networkminer.sourceforge.net/ and take the open source network forensic tool for a test drive?