It is a sub-branch of digital forensics. It is related to monitoring and analysis of computer network traffic to collect important information and legal evidence. Looking for evidence by monitoring network traffic, using tools such as a firewall or intrusion detection system.
| Name | Platform | License | Description |
| Wireshark | Windows, macOS, Linux | Open Source | Network protocol analyzer and packet capture tool |
| tcpdump | Unix-like systems | Open Source | Command-line packet analyzer |
| Snort | Windows, Linux | Open Source | Intrusion detection and prevention system |
| Bro/Zeek | Unix-like systems | Open Source | Network security monitoring framework |
| NetworkMiner | Windows | Open Source/ Commercial | Network forensic analysis tool |
| Xplico | Unix-like systems | Open Source | Network forensics analysis tool |
| NetWitness | Windows, Linux | Commercial | Network forensic analysis platform |
| Encase | Windows | Commercial | Digital forensic investigation software |
| Suricata | Unix-like systems | Open Source | High-performance Network IDS, IPS, and Network Security Monitoring (NSM) engine |
| Cain and Abel | Windows | Freeware | Password recovery and network sniffing tool |
| Ngrep | Unix-like systems | Open Source | Network grep tool, which allows you to search through pcap files |
| NetCat | Unix-like systems | Open Source | Networking utility for reading/writing network connections |
| Nmap | Windows, Linux | Open Source | Network exploration tool and security scanner |
| Broccoli | Unix-like systems | Open Source | An extension to Bro/Zeek for distributed packet sniffing |
| Sguil | Unix-like systems | Open Source | Network security monitoring (NSM) console |
Network forensics focuses on investigating captured network traffic (e.g., PCAP files) to identify malicious activities, breaches, or data exfiltration.
Tools and Techniques:
1.Obtain and Preserve PCAP Files: Collect PCAP files from intrusion detection systems (IDS), firewalls, or network monitoring tools. Ensure the files remain unaltered for integrity. Wireshark (Download), tcpdump (Download), Suricata (Download)
2.Load PCAP Files for Initial Inspection: Open PCAP files in analysis tools like Wireshark or NetworkMiner. Filter suspicious traffic using IP addresses, ports, or protocols (e.g., HTTP, DNS).
Example Filters:
http (to view HTTP traffic)
ip.addr == 192.168.1.10 (to filter by IP)
3. Analyze Traffic Behavior
- Look for abnormal patterns such as:
- Unusual connections to external IPs.
- Excessive traffic volume or unauthorized protocols.
- Encrypted or suspicious DNS queries.
- Wireshark (Download)
4. Reconstruct Sessions and Extract Artifacts
- Rebuild HTTP sessions or file transfers to recover malicious files or payloads.
- Identify malware payloads, emails, or data exfiltration.
5. Correlate with Threat Intelligence
- Compare suspicious IPs, domains, or URLs with threat intelligence databases. VirusTotal (Download)
Open-Source Tools:
- Wireshark: Analyze PCAP files, filter traffic and inspect protocols. Download
- tcpdump: Command-line PCAP capturing and filtering. Download
- NetworkMiner: Extract artifacts (files, sessions) from PCAPs. Download
- Suricata: Capture network traffic and generate alerts. Download
Commercial Tools: