Learning Objectives

• Understand the purpose and methodology of network forensics
• Identify sources of network-based evidence
• Reconstruct attack timelines from network captures
• Extract forensic artefacts from traffic
• Analyse encrypted traffic for investigative indicators

Defining Network Forensics

Network Forensics is the capture, recording, and analysis of network traffic to discover the source of security incidents.

What Network Forensics Can Reveal

Sources of Network-Based Evidence

Multiple converging sources strengthen evidence.

Gaining Access to Network Traffic

Four primary means to access network data:

1. Hubs
2. Test Access Point (TAP)
3. Other inline devices
4. Switched Port Analyzer (SPAN port)

Capturing Traffic: Hub vs Switch

Promiscuous mode: NIC captures all packets, not just those addressed to it

Capturing Traffic: SPAN Port

SPAN Port (Port Mirroring)

• Switch copies traffic to designated port
• Sniffer captures ALL traffic
• Software configured - easy to change
• Can drop packets under heavy load
• Lower priority than production traffic

Capturing Traffic: Network TAP

Test Access Point (TAP)

• Hardware device placed inline
• Creates permanent access port
• Copies all traffic - no packet loss
• Sees physical layer errors
• More expensive, requires physical install

TAPs are preferred for forensic capture - complete, unaltered evidence

Mapping Traffic to the Kill Chain

Building an Attack Timeline

Key Wireshark Filters

What Can Be Extracted

From unencrypted traffic, you can recover:

Extraction Techniques

Wireshark Export Objects
File → Export Objects → HTTP/SMB/TFTP/IMF

Follow TCP Stream
Right-click packet → Follow → TCP Stream → Save raw data

NetworkMiner
Automated extraction of files, images, credentials

Extracted files may contain malware. Analyse in isolation.

Email Reconstruction from SMTP

The Encryption Challenge

TLS Fingerprinting: JA3

Every TLS client has a fingerprint based on how it negotiates the connection.

JA3 = MD5 hash of: TLS version, cipher suites, extensions, elliptic curves

Example: e7d705a3286e19ea42f587b344ee6865 (Cobalt Strike)

Uses:

• Identify known malware families
• Detect C2 frameworks
• Correlate across captures

Challenges: Anonymity & Attribution

1. Tor / VPNs | Source IP hidden or masked

Challenges: Anonymity & Attribution

Attribution is rarely definitive. Focus on IOCs and TTPs.

Summary

1. Network forensics reconstructs incidents from traffic evidence
2. Multiple evidence sources strengthen findings
3. Map network events to kill chain phases
4. Extract artefacts from unencrypted traffic
5. Encrypted traffic still reveals metadata and patterns
6. Attribution is difficult - focus on indicators

Labs: Pleaee review you activities from below

1. Lab 1: Attack Investigation
2. Lab 2: Email Reconstruction
3. Lab 3: Exfiltration & Encrypted Traffic