Today an examiner can easily utilize network capable forensic applications to conduct a network analysis. EnCase Enterprise, FTK and even X-Ways with the help of F-Response, can connect to any network attached device that is capable of having the tools particular agent installed on it.
Probably the most valuable piece of the puzzle you can get is the network traffic captured during the time of the incident. This is the ideal situation because it allows you observe the actual data being passed between the attacker and the victim, most of the time. There are many tools available that can capture and be used to analyze network capture data. There is a slight problem getting this data for a few reasons ...