The objective of network forensics is to deliver a comprehensive record of events that have transpired on a network, whether it involves cyber crime, illicit activities, or anything in between.

One of the most challenging aspects of network forensics is the collection phase. This is because of how rare it is for organizations to have a well-designed network data collection setup. It is extremely uncommon to arrive at a case where there is a complete PCAP of the entire incident. With some luck, there might be network flow data or firewall logs, and in the worst-case scenario, nothing at all. In cases where the organization has set up network capture, the next challenge is the sheer volume of data, making it difficult for investigators to identify data relevant to the case, as they must sift through large volumes of data to find the evidence they seek.

• Availability of data, not all networks have monitoring setups, making it difficult to get hold of the relevant data.
• The sheer volume of network data can be overwhelming, requiring advanced tools and techniques to effectively analyze the data.
• Networks are dynamic and constantly changing, making it difficult to maintain an accurate picture of network activity over time.
• Encryption and other security measures can complicate the analysis of network traffic, as they can obscure the content of network communications.

These are just some of the challenges you will be faced with.

11.1 Acquisition

Before any analysis ...