Network Evidence Collection

1 min read Advanced Security Topics

Network Evidence Collection

Network evidence provides crucial context about communications and data movement:

Packet Capture:

# Full packet capture
tcpdump -i eth0 -w capture.pcap
# Targeted capture
tcpdump -i eth0 host 192.168.1.100 -w targeted.pcap

NetFlow Collection:

  • Provides traffic metadata without full packets
  • Lower storage requirements
  • Useful for long-term trending
  • Tools: nfdump, SiLK, Argus

Log Collection Priority:

  1. Firewall logs
  2. IDS/IPS alerts
  3. Proxy logs
  4. DNS query logs
  5. DHCP assignments
  6. VPN connections
  7. Wireless access logs