Network Forensics
What is Network Forensics?
Network ForensicsThe capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
Network forensics examines packet captures (PCAP), NetFlow/IPFIX, DNS, proxy, firewall and IDS logs to identify intrusion vectors, exfiltration channels, command-and-control, and lateral movement. Approaches range from catch-it-as-you-can full-packet capture to stop-look-and-listen targeted sniffing on key choke points. Tools include Wireshark, Zeek, Suricata, tcpdump, Arkime/Moloch, and commercial NDR platforms. Investigators correlate flows with endpoint and SIEM data, decoding application protocols (HTTP, TLS metadata, DNS, SMB) and applying JA3/JA4 fingerprints to spot suspicious clients. Because raw traffic is volatile, retention policies, secure storage, and chain-of-custody from sensors are critical for admissibility under ISO/IEC 27037.
● Examples
- 01
Reconstructing an attacker's HTTP C2 sessions from a Zeek conn.log and PCAP slice.
- 02
Identifying DNS tunnelling exfiltration by analysing query length distributions in NetFlow.
● Frequently asked questions
What is Network Forensics?
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity. It belongs to the Forensics & IR category of cybersecurity.
What does Network Forensics mean?
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
How do you defend against Network Forensics?
Defences for Network Forensics typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Network Forensics?
Common alternative names include: NetFor, Traffic forensics.