CHAPTER 14
Analyzing Network Traffic
In Chapter 8, we described how to perform full-content network monitoring to gather network-based evidence. However, once you’ve collected full-content data, you need to be able to analyze it in order to identify indications and warnings of suspicious activity. This chapter outlines a formal investigative approach to interpreting network activity. We’ll explain how to review large binary capture files and quickly identify relevant data.
FINDING NETWORK-BASED EVIDENCE
After you collect network traffic, you must eventually read that traffic and interpret whether or not evidence of a computer security incident exists. The network traffic you’ve collected is stored in binary files, which are very large. ...
Get Incident Response & Computer Forensics, 2nd Ed., 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
