Preface Every day, more bits of data flow across the Internet than there are grains of sand on all the beaches in the world. According to the Cisco Visual Networking Index, the total global IP traffic for 2011 was forecast to be approximately 8.4 * 10 18 bits per day. Meanwhile, mathematicians at the University of Hawaii have estimated the number of grains of sand on all the beaches in the world to be approximately 7.5 * 10 18 grains. According to Cisco, global IP traffic is expected to increase at an annual growth rate of 32% per year, so by the time you read this, the number of bits of data flowing across the Internet every day may have far exceeded the estimated number of grains of sand on all the beaches in the world. 2, 3, 4 Of course, these estimates are very rough, because in both cases the systems involved are far larger and more complex than humanity has the tools to quantify. The Internet has long since passed the point where we can fully analyze and comprehend its workings. We can understand bits and pieces of it and we can make broad generalizations; but the fact is that we humans have already created a monster far more powerful and complex than we can ever fully understand. In this environment a new, endless field of study has emerged: network forensics. Forensics, in general, is "the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence, as from a crime scene." Network forensics therefore refers to the scientific study of network-based evidence, commonly applied to legal questions. Of course,