It is sometimes said that information extracted from a router or switch does not necessarily provide specific evidence of a particular crime

A router can be a network hardware or software device that enables communication between a local home network, other connected devices, and the internet. Routers can be considered small computers since they have a CPU and a memory that deal with incoming and outgoing data (Alex & Kishore, 2017). Routers decide which paths network traffic to follow hence determining the best path to source the information. The main functions of routers are; process routable protocols by evaluating network addresses of incoming packets and ensuring information goes where it’s needed by selecting the best path. Data is organized into packets by IP, which is addressed for delivery. The first half of the IP address represents the proper network, and the other portion of the IP address identifies the host.

A good understanding of router components is needed for forensic analysis by the investigation team because it can provide specific evidence of a particular crime (Szewczyk,  2007). The essential components required in the forensic analysis are the functional components. Time is the key factor when gathering the evidence; thus, the team needs to know what to look at first and not to cause any distort on volatile evidence. The crucial router components are the NVRAM, RAM, ROM, Flash Memory, and POST.

RAM stores the primary data (running configuration file) which investigators are interested to know about. The file contains essential information on how the router is configured at a specific time. The RAM also stores the topology table, ARP information, and the link-state database. The difference between ROM and RAM is that ROM is not volatile, and the information can be retrieved even when there is a power failure or reboot. The NVRAM incorporates the startup configuration file. The volatile memory is lost when the router fails to start or when it loses power. In some routers, virtual LANs are stored inside NVRAM. A power-on self-test is conducted early to check if everything is working properly. In POST, ROMMON mode can be found. There are similarities between ROMMON and BIOS on a computer (Dou et al., 2005). The investigators can check the ROMMON mode of the router to see various components, check any installation in the system, and ensure components are properly functioning. Finally, the operating system for the router can be examined under the Flash memory. Routers have different things on Flash, which comprises of security device manager software and web management software.