Network Evidence Sources
Network Evidence Sources
Effective network forensics requires collecting data from multiple sources across the infrastructure:
Primary Evidence Sources:
Packet Captures (PCAP):
- Full content data including headers and payloads
- Provides complete visibility into communications
- Storage-intensive but comprehensive
- Tools: tcpdump, Wireshark, tshark
NetFlow/IPFIX Data:
- Metadata about network conversations
- Source/destination IPs, ports, protocols
- Byte and packet counts
- Duration and timing information
Firewall Logs:
- Allowed and denied connections
- NAT translations
- VPN connections
- Security policy violations
IDS/IPS Alerts:
- Signature-based detections
- Anomaly notifications
- Blocked attack attempts
- Behavioral indicators
DNS Query Logs:
- Domain lookups and resolutions
- Potential C2 communications
- Data exfiltration via DNS
- Malware beaconing patterns
Web Proxy Logs:
- HTTP/HTTPS traffic details
- User agent strings
- Downloaded files
- Blocked content