Forensics & IR
Network Forensics
Also known as: NetFor, Traffic forensics
Definition
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
Examples
- Reconstructing an attacker's HTTP C2 sessions from a Zeek conn.log and PCAP slice.
- Identifying DNS tunnelling exfiltration by analysing query length distributions in NetFlow.
Related terms
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
DFIR (Digital Forensics and Incident Response)
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Intrusion Detection System (IDS)
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
Network-Based IDS (NIDS)
An intrusion-detection sensor that inspects traffic captured from a network segment to identify malicious patterns and policy violations.
Log Analysis
Log Analysis — definition coming soon.
NDR (Network Detection and Response)
A network security technology that analyses traffic — including decrypted, metadata and flow data — using behavioral analytics and ML to detect threats and orchestrate response.