Network forensics is the process of looking at network artifacts to determine whether any unauthorized activity has taken place, as well as retrieving artifacts and evidence to prove it. This includes, but is not limited to, network monitoring, network recording, and active/passive analysis of network traffic and events for correlation. Analysts can use these techniques to uncover the origins of security events and perform root cause analysis.
The idea behind a strong forensics practice is to enable the blue team to improve their detection techniques and have better understanding and visibility throughout the network. In this chapter, we will look at how to perform network forensics and learn how to utilize these ...
