What is Network Forensics?
The capture, recording, and analysis of network traffic to detect intrusions, investigate incidents, and monitor for data exfiltration.
Network forensics examines the data flowing across networks rather than data stored on devices.
What's Captured
- Full packet captures (PCAP) of all network traffic
- Network flow data (who talked to whom, when, how much)
- DNS queries
- HTTP/HTTPS metadata
- Email headers
Tools
- Wireshark: Packet capture and analysis
- tcpdump: Command-line packet capture
- Zeek (Bro): Network security monitor
- NetworkMiner: Network forensic analysis tool
Privacy Defense
- VPN encrypts traffic, making packet content unreadable
- Tor obscures traffic patterns and destinations
- DNS-over-HTTPS prevents DNS query monitoring
- End-to-end encryption ensures content is protected even if captured
Related Terms
Forensic Analysis
The scientific examination of digital devices and data to recover evidence, used by law enforcement and incident responders.
Packet Inspection
The practice of examining data packets as they pass through a network checkpoint, ranging from basic header analysis to deep content inspection.
Traffic Analysis
The process of examining patterns in communication metadata—who talks to whom, when, how often, and how much—to extract intelligence without accessing content. Even encrypted communications leak metadata that can reveal sensitive information.
Have more questions?
Use our guided flow to get the right next privacy step for Network Forensics.
Open Guided Flow