Digital forensics

Computer forensics: Network forensics analysis and examination steps [updated 2019]

July 6, 2019 by

Devices connected to network continue to proliferate; computers, smartphones, tablets etc. As the number of attacks against networked systems grow, the importance of network forensics has increased and become critical. To deploy immediate response in case of an attack, network clerks should be able to discover and understand what attackers did so far and do this by investigating and analyzing the network traffic data. This article initially presents an introduction about networked forensics, followed by the types of network traffic analyzed in network forensics, and finally with a study of types of systems used to collect network traffic with respectively their pros and cons. Furthermore, it provides an exhaustive list enumerating popular tools that can be utilized in a network forensic investigation.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

What is network forensics?

Network forensics is capture, recording and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity.

A generic network forensic examination includes the following steps:

Identification, preservation, collection, examination, analysis, presentation and Incident Response.

The following is a brief overview of each step:

Identification: recognizing and determining an incident based on network indicators. This step is significant since it has an impact in the following steps.

Preservation: securing and isolating the state of physical and logical evidences from being altered, such as, for example, protection from electromagnetic damage or interference.

Collection: Recording the physical scene and duplicating digital evidence using standardized methods and procedures.

Examination: in-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.

Analysis: determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.

Presentation: summarize and provide explanation of drawn conclusions.

Incident Response: The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.

Network forensics analysis, like any other forensic investigation presents many challenges. The first challenge is related to traffic data sniffing. Depending on the network configuration and security measures where the sniffer is deployed, the tool may not capture all desired traffic data. To solve this issue, the network administrator should use a span port on network devices in multiple places of the network.

One tedious task in the network forensic is the data correlation. Data correlation can be either causal or temporal. For the latter case, timestamps should be logged as well.

An attacker may encrypt the traffic, usually using an SSL VPN connection. For a network investigator, the address and port are still visible; however, the data stream is not available. More logging and additional sleuthing should be performed in order to determine the infiltrated data.

Another additional challenge is determining the source of an attack, since an attacker may use a zombie machine, an intermediate host to perform an attack, or simply uses a remote proxy server. This makes it difficult for a network investigator to follow the attackers’ original address.

Taking into consideration these concerns, the main task of a network forensics investigator is to analyze network packet capture, known as PCAP files. Items present in network traffic which should be examined include but are not not limited to: Protocols used, IP addresses, port numbers, timestamps, malicious packets, transferred Files, User-agents, application servers versions, and operating system versions. This information can be extracted from different types of traffic.

What traffic protocols and network layers are analyzed in network forensics?

This section shows where digital forensic methods can be applied within the different network protocols or layers.

Data-link and physical layer examined (Ethernet)

Methods are achieved with eavesdropping bit streams on the Ethernet layer of the OSI model. This can be done using monitoring tools or sniffers such as Wireshark or Tcpdump, both of which capture traffic data from a network card interface configured in promiscuous mode. Those tools allow investigator to filter traffic and reconstruct attachments transmitted over the network. In addition, protocols can be consulted and analyzed, such as the Address Resolution Protocol (ARP) or any higher level protocols. However, this can be averted with encryption. Encryption might indicate that the host is suspicious since the attacker uses encryption to secure his connection and bypass eavesdropping. The disadvantage of this method is that it requires a large storage capacity.

Transport and network layer Examined (TCP/IP)

Apply forensics methods on the network layer. The network layer provides router information based on the routing table present on all routers and also provides authentication log evidence. Investigating this information helps determine compromised packets, identifying source, and reverse routing and tracking data. Network device logs provide detailed information about network activities. Multiple logs recorded from different network devices can be correlated together to reconstruct the attack scenario. Network devices have a limited storage capacity. Network administrators configure the devices to send logs to a server and store them for a period of time.

Traffic examined based on the use case (Internet)

The internet provides numerous services such as WWW, email, chat, file transfer, etc. which makes it rich with digital evidence. This is achieved by identifying the logs of servers deployed on the internet. Servers include web servers, email servers, internet relay chat (IRC), and other types of traffic and communication. These servers collect useful log information, such as browsing history, email accounts (except when email headers are faked), user account information, etc.


This is achieved by collecting and analyzing traffic from wireless networks and devices, such as mobile phones. This extends normal traffic data to include voice communications. Phone location can be also determined. The Analysis methods of wireless traffic are similar to wired network traffic but different security issues should be taken into consideration.

What types of systems are used to collect network data/traffic? What are some pros and cons each of the above systems?

Network traffic data collections systems can be of two kinds “stop, look and listen” or “Catch-it-as-you-can”

“Catch-it-as-you-can”: All packets are sent through a traffic point where they are stored in a database. After that, analysis is performed on stored data. Analysis data is also stored in the database. The saved data can be saved for future analysis. It should be noted, though, that this type of system requires a large storage capacity

The “stop, look and listen” system is different from the “Catch-it-as-you-can” system, since only data required for analysis is saved into database. The incoming traffic is filtered and analyzed in real-time in memory, which means this system requires less storage but a much faster processor.

While the 2 systems require generous storage capacity, privacy concerns with the "catch-it-as-you-can" system should be weighed and considered. User data is also captured using this system; however, ISPs are forbidden from intercepting or disclosing content without user permission.

What are some popular network forensics tools & resources?

Network Forensic Analysis Tools (aka NFATs) allow network investigators and network administrators to monitor networks and gather all information about anomalous or malicious traffic. These tools synergize with network systems and network devices, such as firewalls and IDS, to make preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns identified by network security equipments.

The following are a few functions of a Network Forensic Analysis Tool:

  • Network traffic capturing and analysis
  • Evaluation of network performance
  • Detection of anomalies and misuse of resources
  • Determination of network protocols in use
  • Aggregating data from multiple sources
  • Security investigations and incident response
  • Protection of intellectual property

Network forensics tools can be classified based on many criteria, for example host based or network-wide-based forensics tools. In this article, we classify those tools as either general purpose tools, specific tasks tools, or libraries/framework.

General purpose tools

This category include Packet collectors (sniffers), protocol analyzers and Network Forensic Analyzers

dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets from the network and store them on files.

tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to inspect recorded traffic. They can be either packet-centric or session-centric.

Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-centric which analyze the traffic content.

Specific Tasks Tools

These are often small programs written to do just one thing.

Intrusion detection (snort, suricata, bro)

Match regular expressions (ngrep)

Extract files (nfex) or pictures (driftnet)

Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)

Extract emails (mailsnarf, smtpcat)

Print network/packet statistics (ntop, tcpstat, tstat)

Extract SSL information (ssldump)

Reconstruct TCP flows (tcpflow, tcpick)

Fingerprinting (p0f, prads)

Libraries and Frameworks

Python libraries(Libpcap, Scapy)



Network forensics ensures a faster incident response to an attack. It provides the ability to investigate the attacks by tracing the attack back to the source and discovering the nature of the attacker if it is a person, host or a network. In addition, network forensics provides methods to predict future attacks by correlating attack patterns from previous records of intrusion traffic data. This facilitates the presentation of admissible evidence in a court of law. This article was quick survey of network forensics, the different traffic data types and the different types of systems used to collect them. Finally, it enumerated the popular tools existing today in the market. We hope you enjoyed reading, and check out Infosec's 5-Day Forensics Boot Camp training if you want to take your learning to the next level. We also encourage you to check out the rest of the Computer Forensics series.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


  • Network forensic frameworks: Survey and research challenges
  • “Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection” Dreger et al. – Usenix Security 2006
  • “Enriching Network Security Analysis with Time Travel” Maier et al. – SigComm 2008