Network forensics is “The use of scientifically proven techniques to collect, identify, examine, correlate, analyze, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities.”

Network forensics is basically about monitoring network traffic, determining if there is an anomaly in the traffic and whether the anomaly can be an attack. If it is an attack, the nature of the attack is also determined. Besides, capability to reconstruct or play back the network services and activities content such Email, Web Mail, Web Browsing, Upload or Download, Instant Messaging etc. is essential. The Important aspects include traffic capture, preservation, analysis and visualization of the results. Forensic specialists will understand these results and will invoke an incident response immediately. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis when dealing with a skilled attacker.

Diagram: Network Forensics Process

Decision Group E-Detective Series of Solutions - CLICK HERE