Analyzing Network Traffic
In Chapter 8, we described how to perform full-content network monitoring to gather network-based evidence. However, once you’ve collected full-content data, you need to be able to analyze it in order to identify indications and warnings of suspicious activity. This chapter outlines a formal investigative approach to interpreting network activity. We’ll explain how to review large binary capture files and quickly identify relevant data.
FINDING NETWORK-BASED EVIDENCE
After you collect network traffic, you must eventually read that traffic and interpret whether or not evidence of a computer security incident exists. The network traffic you’ve collected is stored in binary files, which are very large. ...