Network and Memory Forensics
Capture and analyze packet captures (pcap) and memory dumps to reconstruct attacker communications and identify malware hiding in RAM.
Network Forensics Overview
Network forensics captures and analyzes network traffic to reconstruct attacker communications, identify lateral movement, and detect data exfiltration. Unlike endpoint forensics, which examines evidence that may have been tampered with on a compromised host, network evidence is harder for attackers to alter after the fact — they cannot retroactively delete packets already captured by a network tap or flow monitoring system. Network forensics complements endpoint forensics to provide a complete attack picture.
Packet Capture Fundamentals
Packet capture (PCAP) records all network traffic at the packet level, including full payload content. Tools include Wireshark (GUI-based, widely used), tcpdump (command-line, scriptable), and Zeek (formerly Bro, produces protocol-level logs from PCAP). Full packet capture is storage-intensive; high-speed networks may require purpose-built capture appliances. PCAP analysis can reveal: credentials in cleartext protocols, C2 beaconing patterns, exfiltrated data, and lateral movement connections.
# tcpdump: capture all traffic on eth0
tcpdump -i eth0 -w /forensics/incident.pcap
# Capture only traffic to/from attacker IP
tcpdump -i eth0 host 198.51.100.10 -w /forensics/attacker.pcap
# Wireshark filter examples:
# Show HTTP GET requests: http.request.method == 'GET'
# Show DNS queries: dns.qr == 0
# Show large outbound transfers: ip.dst != 10.0.0.0/8 && tcp.len > 1000
# Show cleartext FTP creds: ftp.request.command == 'PASS'