A portable network forensic evidence collector

A small portable network forensic evidence collection device is presented which is built using inexpensive embedded hardware and open source software. The device offers several modes of operation for different live network evidence collection scenarios involving single network nodes. This includes the use of promiscuous packet capturing to enhance evidence collection from remote network sources, such as websites or other remote services. It operates at the link layer allowing the device to be transparently inserted inline between a network node and the rest of a network. It is simple to deploy, requiring no reconfiguration of the node or surrounding network infrastructure. The device can be preconfigured in the forensics lab, and deployment delegated to staff not specifically trained in forensics. Details of the architecture, construction and operation are described. Special attention is given to information security aspects of live network evidence collection.