In addition to the sources of evidence discussed in the previous sections, networks are composed of a variety of devices that can contain evidence. Network devices are one of the most challenging sources of digital evidence. There are many different types of network devices, each with their own interface or command interpreter. The information they contain depends heavily on the configuration and the versions of the associated hardware and software. For instance, a simple Linksys router (www.linksys.com) with Firmware version 1.37 can generate a log of all traffic that it handles. However, as shown in Figure 9.7, the logs on the device do not retain much information a program such as Link Logger (www.linklogger.com) must be used on a remote logging host to retain a historical record of events and display the timestamps associated with each log entry.

Figure 9.7a: Linksys router log as seen through the device itself versus Link Logger.

Even if a network device does not contain evidence, it may have handled data as it traveled over the network and it may be desirable to document the configuration and health of the device. For example, if an individual claims to have accessed a certain server at a certain time from a specific location, the configuration of a firewall protecting the server may show that this was not physically possible and that another scenario actually occurred.

Figure 9.7b: Linksys router log as seen through the device itself versus Link Logger.