Module 4: Network

Forensics
-By
Asst Prof Rohini M. Sawant
Introduction to Network Forensics
● Network forensics is a specialized subfield of digital forensics that focuses on the collection,
analysis, and investigation of network data in order to trace cybercrimes, detect security threats,
and monitor network behavior.
● It aims to uncover how malicious activities or network incidents occurred by studying traffic
patterns, packet data, and network logs.
● Network forensics refers to the practice of capturing, storing, and analyzing network traffic to
investigate incidents such as security breaches, hacking attempts, malware infections, or
unauthorized access. Unlike traditional digital forensics (which focuses on hard drives, devices,
or files), network forensics revolves around traffic that flows through the network, including:
1. Data packets: Small units of data transmitted across the network.
2. Network Logs: Logs from devices such as firewalls, routers, and intrusion detection systems.
3. Protocols: Protocols such as HTTP, FTP, DNS, and others, which define how data is exchanged
over the network.

The goal of network forensics is to reconstruct events, trace the path of an attacker, identify
vulnerabilities, and even identify perpetrators.
Key Goals of Network Forensics
● Incident Response: Network forensics helps identify and respond to incidents in real-time. By
analyzing network traffic, investigators can determine the scope and nature of a security breach,
understand the attack's vector (how it entered the system), and track the movement of attackers
across the network.
● Investigation and Attribution: Once a security event occurs, network forensics can be used to
trace the origin of the attack. This involves following network paths to understand how the attack
progressed, which systems were targeted, and which methods were used.
● Evidence Collection: In legal or compliance contexts, network forensic investigations can be
used to gather digital evidence of cybercrime or malicious activities that may lead to criminal
charges. Network logs, packet captures, and communication data are crucial for providing
evidence that can stand up in court.
● Threat Detection and Prevention: By continuously monitoring network traffic, potential threats
can be identified early, even before they cause damage. Forensic data analysis can highlight
unusual patterns in traffic, signaling a possible attack or breach.
 Key Components of Network Forensics
Network forensics typically involves several components that work together to provide a detailed understanding
of network incidents:

a. Data Capture: Network forensics starts with capturing data that flows through the network. This data may
include:

● Packets: Small chunks of data transmitted across the network. Each packet contains detailed information
such as source, destination, protocol, and payload.
● Network Logs: Logs from network devices (routers, firewalls, switches) that record traffic activity. These
logs provide insights into what is happening on the network at any given time.

b. Traffic Analysis: Once data is captured, it needs to be analyzed. This involves:

● Packet Inspection: Investigating individual packets to extract important information, such as IP

addresses, ports, payloads, and protocols.
● Flow Analysis: Examining traffic patterns or flows between devices to determine whether the network
behavior is normal or indicative of an attack.
● Anomaly Detection: Looking for deviations from baseline network behavior, such as spikes in traffic,
communication with unfamiliar IP addresses, or unexpected protocols being used.
 Key Components of Network Forensics
c. Reconstructing Events

Network forensic experts try to reconstruct the timeline of events by piecing together data captured from
multiple sources, such as:

● Session Reconstruction: Rebuilding user sessions to see what the user did during the attack or
incident.
● Timeline of Attack: Understanding the sequence of steps the attacker took to gain access,
escalate privileges, or move through the network.

d. Data Correlation

Network forensics often involves correlating network traffic data with other logs or data sources, such as
system logs, application logs, and event logs. This cross-referencing allows for a more complete picture
of the incident, making it easier to identify the root cause.
Evidences in Network Forensics
● Application and OS logs: There are various logs that will be generated in
different locations depending on the events occurring. Application logs such as
access logs and database logs, event logs generated by the operating systems in
use(Windows event logs and Linux syslog), logs from network devices such as
firewalls and routers are some examples of various log locations to look at.
● Intrusion Detection System/Intrusion Prevention System (IDS/IPS)
alerts: Many investigations begin from an alert from IDS or IPS. These logs
from IDS or IPS usually include alert data such as an identifier that has caused
the alert and the description of the alert. In addition to it, we may find packet
headers and payload in the alert. Depending on the tool being used, these logs
may be extracted from various locations such as a file on the disk, web gui or
email.
Evidences in Network Forensics
● Routers, Firewalls and proxy logs: Routers are used to route the traffic from one
network to another and they are the most commonly used devices in enterprise networks and they
often contain many features that are of interest during a network forensic investigation.
● Firewalls perform packet filtering based on a predefined ruleset. For example, let us assume that a
rule has been defined to block any incoming traffic on port 3389.
● Any firewall will be able to do this as specified in the firewall rules. Modern firewalls can do
much more than just packet filtering.
● They are often termed as Next Generation Firewalls and come with additional features such as
VPN, Intrusion Prevention Systems, Intrusion Detection Systems, Anti Virus, Web Application
Firewalls and more.
● Often, the goal of these modern firewalls is to effectively monitor the content within the packets
and determine whether to allow the packets or not and thus they contain logs of our interest.
● Captured Network traffic: When an alert is generated by tools like IDS/IPS, a packet
capture can be recorded and saved for further analysis in many tools. Most of these captures can
be analysed using tools like Wireshark later. Additionally, in the event of suspicion of an ongoing
attack, tools like tcpdump for Wireshark can be used for packet capturing and analysis.
 Evidence Collection and Acquisition in Wired
Networks
Wired networks refer to networks where data is transmitted through physical cables (e.g., Ethernet). In wired network
environments, evidence collection generally focuses on monitoring network traffic, capturing system logs, and
examining the devices and storage media that are part of the network infrastructure.

a. Network Device Inspection

● Routers and Switches: These devices act as central points through which network traffic flows. Routers often
maintain detailed logs of network traffic, IP addresses, source and destination port numbers, connection
attempts, and other network activity. This data can be crucial in identifying unusual patterns or unauthorized
connections.
Example: Logs from a router might show a series of failed login attempts from an external IP address, which
could indicate an attempted intrusion.
● Firewalls: Firewalls typically log both allowed and denied network traffic. These logs can provide detailed
information about what types of traffic are coming in and out of the network. Forensic investigators can
examine firewall logs to identify anomalous traffic or potential attack attempts.
Example: A spike in failed connection attempts in the firewall log could indicate a brute-force attack against the
network.
 Evidence Collection and Acquisition in Wired
Networks

b. Traffic Capture and Analysis

● Packet Sniffing and Network Traffic Analysis: Tools like Wireshark, tcpdump, and NetFlow allow forensic
investigators to capture packets of data traveling across the network. Capturing raw packets can provide insights
into:
■ Source/Destination IPs: Identifying the source and destination of suspicious traffic.

■ Protocol Used: Understanding what protocols are in use (e.g., HTTP, FTP, SSH, etc.).

■ Payloads and Metadata: Analyzing the data portion of the packets can sometimes reveal
unauthorized communications or malicious content.

■ Example: By examining the payload of a packet, investigators might discover that sensitive data
like credit card numbers or passwords are being exfiltrated.
 Evidence Collection and Acquisition in Wired
Networks

● Flow Data:

○ NetFlow and sFlow are technologies used for gathering traffic flow data. These protocols provide
summary information about traffic patterns, including source and destination IPs, ports, and the volume
of data transferred. This data is typically stored in flow records and can be analyzed to understand large-
scale network activity.

■ Example: Investigators can use flow data to detect large amounts of data being transferred from an
internal server to an external IP address, which might indicate data extrusion.
 Evidence Collection and Acquisition in Wired
Networks

c. Logs from Network Devices

● Device Logs: Routers, switches, servers, and other network devices generate logs that contain timestamps, IP
addresses, traffic patterns, and error messages. These logs are extremely useful for tracking down potential
incidents and understanding what happened at each device.
■ Example: A switch log might show a specific port being accessed repeatedly by a certain MAC
address, which could point to a compromised device or unauthorized access.
● Application Logs: Logs from specific applications such as web servers (Apache, Nginx), database servers
(MySQL, MSSQL), or authentication systems (e.g., RADIUS) are critical in digital forensics. For example:
■ Web Server Logs: Can show unauthorized login attempts, failed script executions, or exploitation
of known vulnerabilities.
■ Database Logs: Can show suspicious queries or abnormal activity, like bulk data exports or access
from unusual IP addresses.
■ Example: A database log might show unauthorized SQL queries attempting to extract sensitive
customer data.
 Evidence Collection and Acquisition in Wired
Networks

d. File Systems and Storage Devices

● Hard Drive Imaging:

○ When examining devices connected to the network, forensic investigators often create bit-for-bit copies
of hard drives or storage media. These images are analyzed for evidence without modifying the original
data.
○ Disk imaging is essential to ensure that data integrity is maintained. Specialized tools like EnCase, FTK
Imager, or dd (in Linux) are commonly used for this purpose.
■ Example: If an attacker modified or deleted files after an intrusion, the forensic image of the hard
drive can help recover deleted files or uncover evidence of malicious activity.
● Filesystem Analysis:
○ Once a disk image is created, investigators can examine the filesystem for anomalies, such as suspicious
files, hidden directories, or malware.
○ File recovery techniques can sometimes reveal deleted files that may have been tampered with or deleted
after an attack.
 Evidence Collection and Acquisition in Wireless
Networks

a. Wireless Access Point (WAP) Logs

● Wireless Access Point (WAP) Logs:

○ Wireless routers or access points maintain logs of connected devices, including the MAC addresses
of devices, connection attempts, and authentication details.
○ These logs can be used to trace the connection history of specific devices or identify unauthorized
access.
○ Example: A WAP log might show an unauthorized device attempting to connect to the network
multiple times with different MAC addresses, indicating a potential attacker trying to spoof a
legitimate device.
 Evidence Collection and Acquisition in Wireless
Networks

b. Wireless Traffic Capture

● Packet Sniffing on Wireless Networks:

○ Wireless traffic can be captured using tools like Kismet, Aircrack-ng, or Wireshark in monitor mode.
Wireless traffic includes various types of frames, such as:
■ Management Frames: Indicate the presence of networks and devices, as well as
connection/disconnection events.
■ Data Frames: Carry actual data being transmitted between devices and access points.
■ Control Frames: Ensure proper communication, like request-to-send or clear-to-send signals.
○ Tools like Aircrack-ng can also be used to crack WPA2 passwords if investigators capture the necessary
handshake between a device and the access point.
■ Example: Capturing the four-way handshake during the Wi-Fi authentication process can allow
investigators to attempt to recover the network key used for encryption.
 Evidence Collection and Acquisition in Wireless
Networks

c. Signal Strength and Source Tracing

● Wireless Signal Mapping:

○ Wireless networks can be traced using tools like NetStumbler or inSSIDer to measure signal strength (and
map out the approximate physical location of wireless access points and devices. This is particularly
useful in physical security investigations or when trying to locate rogue devices.
○ Example: If a network intrusion is suspected, signal mapping can help identify the physical location of an
attacker’s device in a building, based on the strength of the Wi-Fi signal.

d. Tracking Rogue Access Points and Devices

● Rogue AP Detection: A rogue access point is an unauthorized device pretending to be a legitimate access point.
Tools like Kismet and Wireshark can detect rogue APs by identifying anomalies such as:
■ A sudden appearance of an AP with the same SSID as the legitimate network.
■ Devices connecting to unauthorized APs.
■ Example: If an attacker sets up a rogue AP to capture sensitive data (e.g., a man-in-the-middle
attack), identifying this rogue AP is critical.
 Evidence Collection and Acquisition in Wireless
Networks

c. Signal Strength and Source Tracing

● Wireless Signal Mapping:

○ Wireless networks can be traced using tools like NetStumbler or inSSIDer to measure signal strength (and
map out the approximate physical location of wireless access points and devices. This is particularly
useful in physical security investigations or when trying to locate rogue devices.
○ Example: If a network intrusion is suspected, signal mapping can help identify the physical location of an
attacker’s device in a building, based on the strength of the Wi-Fi signal.

d. Tracking Rogue Access Points and Devices

● Rogue AP Detection: A rogue access point is an unauthorized device pretending to be a legitimate access point.
Tools like Kismet and Wireshark can detect rogue APs by identifying anomalies such as:
■ A sudden appearance of an AP with the same SSID as the legitimate network.
■ Devices connecting to unauthorized APs.
■ Example: If an attacker sets up a rogue AP to capture sensitive data (e.g., a man-in-the-middle
attack), identifying this rogue AP is critical.
Intrusion Detection Systems
The network intruder or attacker has traditionally been able to boast of
a certain amount of skill, unlike the cyber scam artist who needs to
know only enough about computers to send mass e-mail or the an
attacker whose technical knowhow is limited to uploading and
downloading files.
Intrusion detection systems (IDSs) help information systems prepare
for and deal with attacks. They accomplish this by collecting
information from a variety of systems and network sources, and then
analyzing the information for possible security problems.
Intrusion Detection Systems
Offerings of Intrusion Detection System

The IDS can offer the following:

1. Add a superior degree of integrity to the remainder of your infrastructure.
2. Recognize and report modifications to knowledge.
3. Trace user action from purpose of entry to purpose of impact.
4. Automate a task of observation—the net finding out the most recent attacks.
5. Notice mistakes in your system configuration.
6. Sense once your system is under fire.
7. Make the protection management of your system potential by non-expert
employees.
8. Guide system supervisor within the important step of building a policy for
your computing assets
Types of Intrusion Detection Systems
1. Active IDS: It is also called Intrusion Detection and Prevention System (IDPS).
Systems that are configured to automatically block mistrusted attacks in progress without any
interference required by an operator are called active IDS. IDS has the advantage of providing
real-time corrective action in reaction to an attack, but has many disadvantages also.

2. Passive IDS: The system that is configured only to observe and analyze network traffic
activity and alert an operator to potential vulnerabilities and attacks is called passive IDS. It
cannot perform any protective or corrective functions on its own. It only detects and alerts
the user about it.

3. Network-Based IDS: A network-based IDS can be a devoted hardware appliance, or an

application running on a computer which is attached to the network It observes all the traffic in a
network or coming through an entry point (e.g., an Internet connection). The network interface
card (NIC) of the network-based IDS operates only in unrestrained mode which means that it will
pick up all the traffic coming from the media even when the destination or final address is not
present in the IDS.
Types of Intrusion Detection Systems
4. Host-Based IDS:
A host-based IDS is generally a software application fixed on a system and observes
activity only on the local system, which has software application installed on it.
It communicates directly with the operating system and has no information of low-level
network traffic. Most host-based IDSs depend on information from audit and system log
files to sense intrusions.

5.Knowledge-Based IDS (Signature Based): In knowledge-based IDS its effectiveness is

based on known attack methods; this is the main weakness of knowledge-based IDS.
Knowledge-based IDSs, also known as signature based, are reliant on a database of known
attack signatures. Knowledge-based systems look closely at data and try to match it to a
signature pattern in the signature database

6. Behavior-Based IDS (Anomaly Based): A behavior-based IDS mentions a baseline or

learned pattern of normal system activity to recognize active intrusion attempts. Behavior-
based intrusion detection is also known as anomaly-based or statistical-based intrusion
detection. As this name denotes, a behavior-based IDS observes traffic and system activity
for uncommon behavior—irregularities based on statistics
Understanding Network Intrusions and Attacks
1. Intrusions versus Attacks
It is important for investigators to realize the difference between an intrusion and an attack, because
whether or not there was a real unauthorized entry to the network or system, it can be a significant
aspect in evidencing the elements of a criminal offense.

2. Recognizing Direct versus Distributed Attacks: A direct attack is launched from a computer used
by the attacker (often after pre-intrusion/attack tools, such as port scanners, are used to find potential
victims). As compared to direct attack, the distributed attack is more complex. This type of attack
includes multiple victims, which include not only the target of the attack, but also intermediary remote
systems from which the attack is launched that are controlled by the attacker.

3. Automated Attacks: Attacks implemented by a computer program rather than the attacker physically
carrying out the phases in the attack sequence are called automated attack.

4. Accidental Attacks: Sometimes, intrusions and attacks may really be unintentional.The user who
appears to have sent the virus via e-mail is frequently a victim of the attack himself/herself.
In numerous cases, huge quantities of virus attacks are introduced accidentally or unknowingly. When a
lower state of obligation is present, some acts are still considered criminal.
Understanding Network Intrusions and Attacks
5. Preventing Intentional Internal Security Breaches Attack
Security breaches is an event that affects authorized access of data, applications, services,
networks, and/or devices by avoiding their core security mechanisms. It happens when an
individual or an application illegally move in a private, confidential, or unauthorized logical
IT perimeter.
Internal attackers are more hazardous for several reasons:
a. People inside the network generally know more about the company, the network, and the
layout of the buildings, normal working process, and other information that makes it easier
for them to gain access without recognition.
b. Internal attackers generally have at least some degree of legal access and could find it
easy to determine passwords and fleapits in the current security system.
c. Internal hackers know what activities will incur the most damage, what information is on
the network.

6.Preventing Unauthorized External Intrusions Attack

Unauthorized intrusion can be defined as attacks in which the attacker gets access into the
system by means of different hacking or cracking techniques.
Analysis of Network Evidences for IDS
IDS relies on different types of network evidence to detect anomalies and threats:

● Packet Captures (PCAPs): Full packet data provides insight into communication patterns
and payload details.

● Flow Data (NetFlow, IPFIX): Summarized metadata of network traffic, including

source/destination IPs, ports, protocols, and byte counts.

● Log Files: Firewall, proxy, and system logs offer context on network interactions.

● Deep Packet Inspection (DPI): Examines payloads for malicious signatures and
anomalies.

● Host-Based Data: IDSs like HIDS analyze system logs, file integrity, and running
processes for suspicious activity.
Analysis of Network Evidences for IDS
IDS relies on different types of network evidence to detect anomalies and threats:

● Packet Captures (PCAPs): Full packet data provides insight into communication patterns and
payload details.
● Flow Data (NetFlow, IPFIX): Summarized metadata of network traffic, including
source/destination IPs, ports, protocols, and byte counts.
● Log Files: Firewall, proxy, and system logs offer context on network interactions.
● Deep Packet Inspection (DPI): Examines payloads for malicious signatures and anomalies.
● Host-Based Data: IDSs like HIDS analyze system logs, file integrity, and running processes for
suspicious activity.

Key artifacts and patterns that suggest an intrusion:

● Unusual Traffic Spikes: Large data transfers may indicate data exfiltration.
● Port Scanning Activity: Multiple connection attempts to various ports can signal reconnaissance.
● Spoofed or Anomalous IP Addresses: Traffic from unexpected geolocations.
● Malformed Packets: Packets that deviate from protocol standards.
● Repeated Failed Login Attempts: Brute-force attack indicators.
● Command & Control (C2) Traffic: Encrypted or obfuscated connections to external servers.
Analysis of Network Evidences for IDS
Techniques for Analyzing Network Evidence
IDS uses various methodologies to analyze network evidence and detect intrusions:

A. Signature-Based Detection

● Compares network traffic against known attack signatures (e.g., Snort, Suricata).
● Strength: Effective for identifying known threats.
● Weakness: Cannot detect novel attacks.

B. Anomaly-Based Detection

● Uses machine learning and statistical models to identify deviations from normal network behavior.
● Strength: Detects zero-day attacks.
● Weakness: Prone to false positives.

C. Behavioral Analysis

● Establishes baseline user and device behavior to detect irregular patterns.

● Example: Unusual login times, excessive failed authentication attempts.

D. Heuristic Detection

● Uses rule-based approaches to identify patterns that resemble suspicious activity.

● Example: Detecting DNS tunneling by analyzing domain request frequency.
Analysis of Network Evidences for Routers
• Routers can be tools used by investigators as they can be targets of
attack, stepping stones for attackers.
• To allow investigators to resolve complex network incidents,
routers can provide valuable information and evidence.
• Routers lack the data storage and functionality of many of the
other technologies we have examined in previous chapters, and
thus they are less likely to be the ultimate target of attacks.
• During network penetrations, routers are more likely to be
springboards for attackers
• The information stored on routers, such as passwords, routing
tables, and network block information, makes routers a valuable
first step for attackers bent on penetrating internal networks.
Analysis of Network Evidences for Routers
1. Obtaining Volatile Data Prior to Powering Down
• Establishing a Router Connection
• Saving the Router Configuration

2. Finding the Proof

We categorize the types of incidents that involve routers as:
a. Direct compromise
b. Routing table manipulation
c. Theft of information
d. Denial of service
1. Direct Compromise: This occurs when an attacker gains unauthorized
access to the router itself, allowing them to control or manipulate its settings.
🔹 Methods of Attack:
● Exploiting weak or default credentials
● Exploiting vulnerabilities in router firmware
● Installing malware or backdoors
● Unauthorized configuration changes
🔹 Impact:
● Full control over network traffic
● Ability to alter security policies
● Creation of persistent access for future attacks
🔹 Examples:
● A hacker brute-forcing the router’s admin credentials
● A remote code execution vulnerability being exploited
2. Routing Table Manipulation: Attackers modify the router’s routing table to
misdirect traffic, causing network disruptions or enabling attacks like traffic interception.
🔹 Methods of Attack:
● BGP Hijacking: Manipulating Border Gateway Protocol (BGP) routes to redirect
traffic
● ARP Spoofing: Altering Address Resolution Protocol (ARP) tables to mislead devices
● OSPF Manipulation: Exploiting Open Shortest Path First (OSPF) protocol to inject
fake routes
🔹 Impact:
● Traffic redirection for surveillance or censorship
● Disrupting network connectivity
● Enabling man-in-the-middle (MITM) attacks
🔹 Examples:
● An attacker injecting false BGP routes to hijack traffic
● A rogue device sending ARP spoofing packets to reroute data
Theft of Information: Involves unauthorized interception or extraction of sensitive
data passing through the router.
🔹 Methods of Attack:
● Packet Sniffing: Capturing unencrypted network traffic
● Man-in-the-Middle (MITM) Attacks: Intercepting communications between
users and servers
● DNS Hijacking: Redirecting users to malicious sites
● Exfiltrating router configuration files containing passwords and keys
🔹 Impact:
● Theft of credentials, personal data, or financial information
● Eavesdropping on corporate or government networks
● Loss of privacy and security
🔹 Examples:
● A compromised router capturing unencrypted traffic
● DNS hijacking redirecting users to fake banking websites
Denial of Service (DoS) Attacks: Attackers overload the router with excessive
traffic or exploit vulnerabilities to make it unresponsive.

🔹 Methods of Attack:

● DDoS (Distributed Denial of Service): Flooding the router with massive traffic
● TCP SYN Floods: Overloading connection requests
● Exploiting Firmware Bugs: Triggering crashes through malformed packets

🔹 Impact:

● Network downtime or significant slowdown

● Disruptions to business operations
● Resource exhaustion leading to security gaps

🔹 Examples:

● A botnet launching a DDoS attack against an ISP’s core router

● A vulnerability in router firmware causing repeated crashes under attack
Challenges in Network forensics
1. High Volume & Speed of Network Traffic:
Challenge: Large-scale networks generate massive amounts of data, making it
difficult to capture and analyze all packets in real-time.
🔹 Examples:
● High-speed enterprise networks handling gigabits or terabits of data per
second.
● Cloud environments with dynamic network traffic and auto-scaling
services.
🔹 Possible Solutions:
● Packet sampling instead of full capture.
● AI & machine learning to detect anomalies.
● SIEM (Security Information and Event Management) tools for
centralized monitoring.
Challenges in Network forensics
2. Encryption & Secure Protocols
🔹 Challenge: Increasing use of encryption prevents forensic analysts from
inspecting packet contents.
🔹 Examples:
● HTTPS, TLS 1.3, VPNs encrypt data-in-transit.
● End-to-end encryption (E2EE) in messaging apps (e.g., Signal,
WhatsApp).
● Dark Web & Tor Networks hide malicious activities.
🔹 Possible Solutions:
● Decryption with lawful access (SSL/TLS interception in corporate
environments).
● Traffic pattern analysis (detect anomalies without decrypting).
● Endpoint forensics (analyze decrypted data on client devices).
Challenges in Network forensics
4. Lack of Standardization in Logs & Data Formats
🔹 Challenge: Different network devices (firewalls, routers, IDS/IPS,
servers) generate logs in different formats, making correlation difficult.
🔹 Examples:
● Syslog, JSON, XML, CSV formats require conversion before analysis.
● Proprietary log formats from vendors like Cisco, Palo Alto etc.

🔹 Possible Solutions:
● Log aggregation tools (Splunk, ELK Stack).
● Standardized log formats (Common Event Format - CEF).
● Automated log parsing & normalization.
Challenges in Network forensics
5. Real-Time Analysis & Response Constraints
🔹 Challenge: Detecting and stopping cyberattacks in real-time is difficult due
to processing delays.
🔹 Examples:
● Zero-day attacks require instant detection & mitigation.
● Advanced Persistent Threats (APTs) operate stealthily over long
periods.
🔹 Possible Solutions:
● Intrusion Detection & Prevention Systems (IDS/IPS).
● Automated response mechanisms (e.g., blocking malicious IPs
dynamically).
● Threat hunting to proactively identify hidden threats.
Tools used in network forensics.
1. Packet Sniffers & Traffic Analyzers: Packet sniffers capture and analyze network traffic to
help identify security threats, anomalies, and malicious activities.

Wireshark

Description:
● A powerful open-source packet analyzer used for deep network inspection.
● Captures real-time traffic and allows forensic investigators to analyze packets at a granular
level.
Key Features:
✔ Live packet capture and offline analysis.
✔ Supports various network protocols (TCP, UDP, HTTP, etc.).
✔ Offers filtering, coloring, and statistical analysis.
✔ Available on Windows, macOS, and Linux.
Use Case: Detecting suspicious network activity (e.g., malware communication).
● Investigating unauthorized data exfiltration.
Tools used in network forensics.
Tcpdump

📌 Description:

● A command-line packet sniffer for UNIX/Linux systems.

● Lightweight and efficient, often used for quick network diagnostics.

📌 Key Features:
✔ Captures packets in real time.
✔ Uses BPF (Berkeley Packet Filter) for efficient filtering.
✔ Saves packet logs in pcap format for later analysis.

📌 Use Case:

● Analyzing network traffic remotely using SSH.

● Filtering packets to identify specific threats.

Tools used in network forensics.
Intrusion Detection & Prevention Systems (IDS/IPS): These
tools detect and prevent suspicious activities in a network.

🔹 Snort
📌 Description:
● An open-source intrusion detection and prevention system (IDS/IPS)
developed by Cisco.
● Uses signature-based and anomaly-based detection techniques.
📌 Key Features:
✔ Detects malware, port scans, and DoS attacks.
✔ Uses custom rule sets to detect suspicious traffic.
✔ Can be integrated with SIEM (Security Information and Event Management) tools.
📌 Use Case:
● Detecting intrusion attempts on enterprise networks.
Preventing exploits from known vulnerabilities.
Tools used in network forensics.
Log Analysis Tools: Log analysis tools help collect, analyze, and visualize network logs for
forensic investigations.

🔹 ELK Stack (Elasticsearch, Logstash, Kibana)

📌 Description:
● A powerful open-source log management and analysis suite.
● Used for real-time log monitoring and visualization.
📌 Key Features:
✔ Logstash collects and processes logs.
✔ Elasticsearch stores and indexes data.
✔ Kibana visualizes logs in dashboards.
📌 Use Case:
● Identifying patterns in network activity.
● Monitoring security logs for intrusion attempts.
Tools used in network forensics.
Digital Forensic Suites: These tools help investigate cybercrime incidents by collecting
and analyzing forensic evidence.

🔹 Autopsy
📌 Description:
● A free and open-source digital forensic platform.
● Used by law enforcement and cybersecurity professionals.
📌 Key Features:
✔ Recovers deleted files and emails.
✔ Analyzes disk images and network logs.
✔ Identifies malicious artifacts in compromised systems.
📌 Use Case:
● Investigating cybercrime incidents.
● Extracting evidence from digital devices.