Network Forensics

What is Network Forensics?
Network forensics is another branch of computer forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. An attacker might be able to erase all log files on a compromised host; network-based evidence might therefore be the only evidence available for forensic analysis. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions.

Two systems are commonly used to collect network data; a brute force “catch it as you can” and a more intelligent “stop look listen” method.

“Catch-it-as-you-can” – This is where all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage.

“Stop, look and listen” – This is where each packet is analysed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

Network forensics is a comparatively new field of forensic science. The growing popularity of the Internet in homes means that computing has become network-centric and data is now available outside of disk-based digital evidence. Network forensics can be performed as a standalone investigation or alongside a computer forensics analysis (where it is often used to reveal links between digital devices or reconstruct how a crime was committed).

Wireless forensics is a sub-discipline of network forensics. The main goal of wireless forensics is to provide the methodology and tools required to collect and analyse (wireless) network traffic that can be presented as valid digital evidence in a court of law. The evidence collected can correspond to plain data or, with the broad usage of Voice-over-IP (VoIP) technologies, especially over wireless, can include voice conversations.

Analysis of wireless network traffic is similar to that on wired networks, however there may be the added consideration of wireless security measures.

Database forensics is a branch of digital forensic science relating to the forensic study of databases and their related metadata. This discipline is similar to computer forensics, following the normal forensic process and applying investigative techniques to database contents and metadata. Cached information may also exist in a servers RAM requiring live analysis techniques.

A forensic examination of a database may relate to the timestamps that apply to the update time of a row in a relational table being inspected and tested for validity in order to verify the actions of a database user. Alternatively, a forensic examination may focus on identifying transactions within a database system or application that indicate evidence of wrongdoing, such as fraud.

The forensic study of relational databases requires a knowledge of the standard used to encode data on the computer disk. A documentation of standards used to encode information in well-known brands of DB such as SQL Server and Oracle has been contributed to the public domain. Others include Apex Analytix.

Because the forensic analysis of a database is not executed in isolation, the technological framework within which a subject database exists is crucial to understanding and resolving questions of data authenticity and integrity especially as it relates to database users.

Network forensics can also be used in a proactive fashion to dig out flaws in networks and IT infrastructure, thereby giving IT administrators and information security officers the scope to shore up their defences against future cyber attacks.

What We Do?
If your company has suffered a cyber attack, data breach or network compromise which may also include ransomware or data theft, our digital forensic experts have the skills and experience to help you deal with such attacks on your computer systems and data.

It is true to say that very few companies have the technical skills in-house to deal with such attacks, and often the internal IT teams who are under pressure to resolve any event will overwrite critical evidence and greatly reduce the chances of a successful prosecution.

Our investigation teams are made up of highly skilled engineers/developers with a very broad spectrum of skills. Network investigations may include setting up network monitoring capabilities and the subsequent analysis of these traffic captures. Investigations may also include log event analysis from network devices, endpoint security devices and the correlation of these with traffic analysis to track and trace a possible or actual network compromise.

Why perform network forensics and investigation?

  • To identify network intrusions.
  • Respond to network attacks.
  • Identify specific network user activities.
  • Record and analyse network activity.
  • Retrieve evidence of employee misconduct
  • Detect theft of intellectual property
  • Detect and investigate virus attack
  • Detect and investigate ransomware attack


Don’t know where to start?

Start with an email, why not drop us a line and we will contact you to discuss your investigation.


How to contact us

Email: info@digital-forensics.co.uk
Tel: +44(0)1634 672677