A portable network forensic evidence collector

A small portable network forensic evidence collection device is presented which is built using inexpensive embedded hardware and open source software. The device o ers several modes of operation for di erent live network evidence collection scenarios involving single network nodes. This includes the use of promiscuous packet capturing to enhance evidence collection from remote network sources, such as websites or other remote services. It operates at the link layer allowing the device to be transparently inserted inline between a network node and the rest of a network. It is simple to deploy, requiring no recon guration of the node or surrounding network infrastructure. The device can be precon gured in the forensics lab, and deployment delegated to sta not speci cally trained in forensics. Details of the architecture, construction and operation are described. Special attention is given to information security aspects of live network evidence collection.