Network Forensics Flashcards
The process of capturing, recording, and analyzing network events to discover the source of security incidents.
Network forensics
A detailed copy of all packets transferred across a network used for forensic analysis.
Packet capture (PCAP)
A tool used for capturing and analyzing live network traffic at the packet level.
Wireshark
The process of reviewing and interpreting traffic after it has been recorded.
Offline network traffic analysis
A log that summarizes communication between devices by showing IPs, ports, byte counts, and durations.
NetFlow log
A forensic approach that identifies anomalies in the volume or direction of network traffic.
Traffic pattern analysis
The technique of tracing traffic to its origin by following packet paths across devices.
Network trace route
A protocol analyzer that provides low-level details of network communications.
Packet sniffer
The term for a complete, raw copy of all traffic on a network segment.
Full packet capture
A type of capture that records only metadata (e.g., headers), not the packet payload.
Header capture
The practice of examining DNS logs to identify malicious domain queries.
DNS forensics
A tool that provides behavioral alerts by comparing traffic against a baseline.
Anomaly-based NIDS
A system that passively monitors network traffic for signs of suspicious activity.
Intrusion Detection System (IDS)
A network-based system that can block malicious traffic in real time.
Intrusion Prevention System (IPS)
The process of identifying and reconstructing application-level content from packet captures.
Protocol decoding
A system used to correlate logs from various sources including firewalls, routers, and endpoints.
Security Information and Event Management (SIEM)
The type of evidence that network logs and PCAPs represent in a legal investigation.
Digital evidence
A key principle that ensures evidence is not altered during analysis.
Chain of custody
The term for viewing sessions and conversations in order to reconstruct attacker activity.
Session reconstruction
A traffic type that is considered a red flag in network forensics when using unusual ports.
Protocol misuse
The process of extracting files or payloads from network packet captures.
Data carving
Logs generated by security appliances such as firewalls, routers, and proxies.
Perimeter device logs
A source of logs that show connection attempts and traffic direction between hosts.
Firewall logs
Logs that help identify abnormal login times, failed attempts, or session hijacking.
Authentication logs
A file type commonly used to store and share captured packets.
.pcap file
A method used to identify large data transfers that could indicate exfiltration.
Bandwidth analysis
The practice of matching a known IOC (IP, hash, domain) with traffic data.
Threat intelligence correlation
The challenge of analyzing encrypted traffic without visibility into payloads.
TLS/SSL inspection limitation
A tool or device that duplicates traffic to a separate monitoring port for analysis.
Network TAP (Test Access Point)
The area where logs are centralized and archived for long-term forensic review.
Log aggregation platform
The ability to identify who performed an action and when, using network logs.
Attribution
Technique used to detect traffic going to known C2 infrastructure.
C2 beacon detection
Evidence of periodic, consistent external connections from infected hosts.
Beaconing behavior
A sign of internal scanning where one host sends SYN packets to multiple internal devices.
Lateral movement attempt
Log evidence showing repeated connection attempts to a closed port.
Port scanning
Protocol often analyzed in forensics to find user credentials or commands in plaintext.
FTP or Telnet
A forensic red flag when a non-web protocol runs over port 80 or 443.
Protocol tunneling
Activity showing large outbound traffic to an unusual country or IP.
Data exfiltration
A timeline of network events that correlates attacker behavior across systems.
Incident timeline reconstruction
The final step of a forensic investigation where a report is delivered to stakeholders.
Findings documentation
