The growth in networking connectivity, complexity and activity has been accompanied by an increase in the number of crimes committed within networks, forcing both enterprises and law enforcement to undertake highly specialized investigations. Forensic analysis, the methodical investigation of a crime scene, presents special difficulties in the virtual world. What is problematic for an investigator to do within a computer, making sense out of fragile digital data arranged in obscure and complex ways, can be very difficult within the significantly larger digital context of the network [1].

Network Forensics ensures that all the network data flows are instantly visible, enabling monitors to notice insider misuse and advanced threats [2].

What is Network Forensics?

Network forensics is capture, recording and analysis of network packets in order to determine the source of network security attacks. The major goal of network forensics is to collect evidence. It tries to analyze network traffic data, which is collected from different sites and different network equipment, such as firewalls and IDS. In addition, it monitors on the network to detect attacks and analyze the nature of attackers. Network forensics is also the process of detecting intrusion patterns, focusing on attacker activity [3].

Network Forensics can reveal the following information:

  1. Source of security incidents.
  2. The path of intrusion.
  3. The intrusion techniques an attacker used.
  4. Traces and evidence.


Network Vulnerabilities:

  1. Internal Network Vulnerabilities: These vulnerabilities occur due to the over extension of bandwidths and bottlenecks.
  2. External Network Vulnerabilities: These vulnerabilities occur due to threats such as DoS/DDoS attacks and network data interception.


Network Attacks:

Most Common attacks against networks:

  1. Eavesdropping
  2. Data Modification
  3. IP Address Spoofing
  4. Denial of Service Attack
  5. Man-in-the-Middle Attack
  6. Packet Sniffing
  7. Session Hijacking
  8. Email Infection
  9. Malware Attacks
  10. Router Attacks, etc.


Attacks specific to wireless networks:

  1. Rogue Access Point Attack.
  2. Client Mis-association.
  3. Unauthorized Association.
  4. AP MAC Spoofing.
  5. HoneySpot Access Point Attack.
  6. Jamming Signal Attack, etc. [2]


A Generic Network Forensic Examination includes following steps: 

  1. Identification: Recognizing and determining an incident based on network indicators. This step is significant since it has an impact in the following steps.
  2. Preservation: Securing and isolating the state of physical and logical evidences from being altered, such as, for example, protection from electromagnetic damage or interference.
  3. Collection: Recording the physical scene and duplicating digital evidence using standardized methods and procedures.
  4. Examination: In-depth systematic search of evidence relating to the network attack. This focuses on identifying and discovering potential evidence and building detailed documentation for analysis.
  5. Analysis: Determine significance, reconstruct packets of network traffic data and draw conclusions based on evidence found.
  6. Presentation: Summarize and provide explanation of drawn conclusions.
  7. Incident Response:The response to attack or intrusion detected is initiated based on the information gathered to validate and assess the incident.


Network Forensics Tools & Resources:

Network Forensic Analysis Tools (NFATs) allow network investigators and network administrators to monitor networks and gather all information about anomalous or malicious traffic. These tools synergize with network systems and network devices, such as firewalls and IDS, to make preserving long-term record of network traffic possible. NFATs allow a quick analysis of patterns identified by network security equipments.

General Purpose Tools: This category includes Packet collectors (sniffers), protocol analyzers and Network Forensic Analyzers-

  1. dumpcap, pcapdump and netsniff-ng are example of packet sniffers, which record packets from the network and store them on files.
  2. tcpdump, wireshark/tshark and tstat are popular protocol analyzers. These tools are used to inspect recorded traffic. They can be either packet-centric or session-centric.
  3. Xplico and NetworkMiner are Network Forensic Analysis (NFAT) tools. These tools are data-centric which analyze the traffic content.


Specific Task Tools: These are often small programs written to do just one thing.

  1. Intrusion detection (snort, suricata, bro)
  2. Match regular expressions (ngrep)
  3. Extract files (nfex) or pictures (driftnet)
  4. Sniff passwords or HTTP sessions (dsniff, firesheep, ettercap, creds)
  5. Extract emails (mailsnarf, smtpcat)
  6. Print network/packet statistics (ntop, tcpstat, tstat)
  7. Extract SSL information (ssldump)
  8. Reconstruct TCP flows (tcpflow, tcpick)
  9. Fingerprinting (p0f, prads) [3]



The biggest challenge in conducting network forensics is the sheer amount of data generated by the network, often comprising gigabytes a day. It is very tedious to search for evidence and is nearly impossible to find it, if the incident is discovered after a very long time. The second challenge of network forensics lies in the inherent anonymity of the Internet protocols. Each network layer uses some form of addressing for the ‘to’ and ‘from’ points, such as MAC addresses, IP addresses and e-mail addresses, all of which can be spoofed. Fortunately, the wide range of powerful software, including products purpose-built for forensic analysis, makes it practical to solve cases through the analysis of network activity [1].


  1. ‘Network Forensics’ [Online] ( Accessed on 8/9/2018.
  2. CHFI Module 07, ‘Network Forensics’.
  3. ‘Computer Forensics: Network Forensics Analysis & Examination Steps’ [Online] ( Accessed on 8/9/2018.