Generalizing sources of live network evidence

This paper suggests combining the capture of network traffic and the collection of data from remote network services into a more general acquisition category of live network evidence sources. These two evidence sources exhibit many similarities, collected data share the same basic characteristics, and the acquisition architectures used for collection are very similar. When viewed from a more abstract perspective they can be described in the same terms. The OSI model's layered approach to networking can be used to help bring these two branches of network evidence together, organizing and reducing the complexity found in live network acquisition. The concept of an acquisition window is also introduced as a fundamental variable in live network acquisition.