During an incident investigation, an analyst collects a full packet capture from a span port and correlates it with NetFlow records to trace command-and-control IP addresses, map exfiltration paths, and determine the initial intrusion vector. Which forensic technique is the analyst applying?
Network forensics focuses on capturing, storing, and inspecting packet captures, flow records, and other network telemetry to reconstruct the timeline of an intrusion, attribute malicious IP addresses, and measure what data left the environment. Hash analysis is limited to verifying the integrity of files or disk images; memory analysis examines volatile RAM for resident malware; link analysis visualizes relationships between people, hosts, or transactions rather than the packets themselves. Because the analyst is working exclusively with traffic data to back-track the attack path, network forensics is the appropriate technique.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What tools are commonly used in network forensics?
Open an interactive chat with Bash
How do investigators ensure the integrity of captured network traffic?
Open an interactive chat with Bash
What challenges are associated with network forensics?