Digital forensics

Network Forensics Concepts

January 12, 2021 by Srinivas

This article outlines various Network Forensics Concepts that can come handy for beginners. We will begin by understanding what various network security threats are and how attacks happen. We will then discuss what are the various network forensics concepts that can come handy during investigations.

How do attacks happen?

Network forensics to many people is capturing the network traffic and analyzing it for the presence of possible intrusions. Solving the puzzle of real world attacks can consist of much more than that. Attackers often use intelligent tactics and techniques when conducting attacks. Following are different types of network security threats a network forensic investigator should be aware of to better understand the investigation procedure.

Network Security Threats

There are two main forms of Network Security Threats depending on where the attack originates. They are External Threats and Internal Threats. 

External Threats originate from outside of the perimeter of the organization. These attacks typically include a spear phishing attack or exploiting an externally exposed vulnerability. Once the attacker is inside the network, the immediate goal is to get persistence on the target’s computer so access will not be lost even in the cases where the victim reboots the laptop. Once persistence is achieved, the next goal is to elevate the privileges to obtain higher level privileges such as an administrator. After Administrative privileges are obtained, opportunities to laterally move through the network will arise. Depending on the goal of the attacker further attacks may be carried out within the network. 

Internal threats originate from within the organization. Most of the internal attacks happen with the insider knowledge the attacker has about the assets and loopholes. These attacks are harder to detect and respond as the traces left by these types of attacks are harder to trace if not impossible.

Network Forensics concepts

When it comes to investigating network attacks, there are several different areas an investigator may need to look into as the sources of evidence  can be lying around in different places across the network. We will discuss more details about various sources of evidence in a future article. However, the following section should give a brief introduction to it.

Packet capturing tools and techniques

A network investigation often involves network packet capturing and analysis of captured packets. This gives a reasonable understanding of what’s going on in the network. Tcpdump is a commonly used tool to capture network packets and the captured packets can be analyzed using a tool like Wireshark. It should be noted that Wireshark can be used both for packet capture and analysis. However, there can be situations where a command line tool must be used for packet capturing instead of a tool with GUI. Linux server environments often do not contain GUI. In such cases, tcpdump is useful for packet capturing and the analysis can be done on a different machine using Wireshark.

Network Data exfiltration

A compromised system often makes communications to a Command and Control (C2) Server either to receive commands or to exfiltrate data from the compromised system. An investigator should spend time on the C2 server the victim computers are talking to, how commands are being received and how data is being exfiltrated from the compromised machines. It should be noted that most of the traffic often gets encrypted, so it may not be easy to know what is being sent just by looking at the network traffic.

Logs from Firewalls, WAF, IDS, IPS, Web Proxies and Servers

Network traffic analysis often relies on analyzing logs stored in various places in the network. Depending on the attack we may or (may not) need to investigate logs from all these devices. The primary purpose of a Network based Firewall is to block or allow traffic from various sources from outside the network. Many modern firewalls come with Intrusion Detection and Prevention capabilities and thus these devices may contain logs specific to an attack type. Web proxies on the other hand are used to decide weather traffic should pass through. They are also used for caching to conserve bandwidth. So, any traffic that’s going through the proxy to an attacker’s server should be logged in the proxy.

Basic Reverse Engineering

Many attacks often originate through targeted phishing attacks, which contain emails with malicious attachments. Attackers design and develop these emails and attachments in such a way that they bypass protections at the email gateway and the Anti Virus. The attachments also often bypass Endpoint Detection and Response tools available on the work stations. During an investigation, it is required to be able to reverse engineer these attachments and understand it functions. 

Active Directory footprints

In an enterprise environment, attacks often make use of the Active Directory to mine data and launch further attacks as AD is a goldmine of data for intruders. Attacks such as Kerberoasting give privileged access to the Domain Controller with less efforts. For the very reason, logs related to AD often help during investigations.


As discussed in this article, network forensic investigations constitute knowledge in several tools and techniques in addition to analyzing the logs from various sources. Investigators often need good knowledge of networking fundamentals aside to the knowledge on various network related attacks.



  1. Network Forensics by Ric Messier –
  2. Internet Forensics by R Jones –
  3. Network Forensics by Sheriff Davidoff, Jonathan Ham –
Posted: January 12, 2021
Articles Author
View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs Email: