Network Forensics: Tracing Cyber Attacks via Traffic Analysis

Network forensics provides a perspective that endpoint forensics simply cannot match. While an advanced attacker might successfully deploy sophisticated anti-forensic techniques—such as wiping log files, deleting tools, or running fileless malware entirely in RAM—they cannot avoid generating network traffic.

If an attacker wants to extract stolen data, they must transmit it over the network. If they want to communicate with their Command and Control (C2) servers, they must generate network packets. This makes network evidence incredibly resilient against tampering. If the organization has properly configured network sensors capturing traffic before the attacker compromises an endpoint, the attacker cannot retroactively alter or delete the captured network logs. The network does not lie.

Furthermore, network forensics provides crucial context regarding lateral movement. Endpoint logs might show that a specific server was compromised, but network analysis will reveal exactly which other machines the attacker attempted to access from that compromised server, painting a complete picture of the blast radius.

The effectiveness of a network forensic investigation is entirely dependent on the quality and granularity of the data the organization collects. Investigators rely on two primary types of network evidence: Full Packet Capture (PCAP) and Flow Data.

Full Packet Capture (PCAP)

Full Packet Capture (PCAP) is the gold standard of network forensics. It involves recording every single bit of data that traverses a specific point on the network. A PCAP file contains the complete headers and the full payload of every packet.

If an attacker transmits an unencrypted file over FTP, the PCAP file will contain the actual contents of that file. If they attempt an SQL injection attack against a web server, the PCAP will record the exact malicious SQL query. This level of detail allows investigators to perfectly reconstruct network sessions and definitively prove exactly what occurred.

However, capturing everything is immensely expensive. Enterprise networks generate massive volumes of traffic—often gigabytes per second. Storing full PCAP data requires massive, specialized storage arrays, and organizations typically only have the capacity to retain PCAP files for a few days before the storage rolls over and overwrites the oldest data.

Flow Data (NetFlow / IPFIX)

Because storing full PCAP is often cost-prohibitive for long-term retention, organizations rely heavily on Flow Data, commonly implemented using protocols like Cisco's NetFlow or the standardized IPFIX.

If PCAP is a full audio recording of a telephone conversation, Flow Data is simply the itemized phone bill. Flow data does not record the actual payload (the contents) of the packet. Instead, it records metadata about the communication: the source IP address, the destination IP address, the source and destination ports, the protocol used (TCP/UDP), the total number of bytes transferred, and the start and end time of the connection.

While it lacks the granular detail of PCAP, Flow Data is incredibly lightweight. An organization can easily store months or even years of Flow Data. This is invaluable for historical investigations. If an organization discovers an indicator of compromise (IOC)—such as a known malicious IP address—investigators can quickly query historical Flow Data to see if any internal machines communicated with that IP address over the past six months, even if the PCAP data has long since been overwritten.

Analyzing network traffic requires a systematic approach. Dumping a massive PCAP file into an analysis tool without a clear methodology is a recipe for overwhelming frustration. Investigators generally follow a structured process to isolate the malicious activity.

1. Baselining and Anomaly Detection

Before you can find the malicious traffic, you must understand what normal traffic looks like. This is known as baselining. Security teams use specialized Network Detection and Response (NDR) tools to monitor the network during normal business operations, establishing baselines for typical communication patterns.

During an investigation, analysts look for deviations from this baseline. This might include a server that typically only communicates with internal databases suddenly initiating a massive outward data transfer to an unknown IP address in a foreign country, or an endpoint suddenly attempting to connect to hundreds of other internal machines on port 445 (a common indicator of ransomware attempting to propagate via SMB).

2. Filtering and Isolation

A 10-gigabyte PCAP file contains millions of packets. The analyst's first task is to aggressively filter out the "noise"—the legitimate background traffic—to isolate the specific communication related to the incident.

Using tools like Wireshark or tcpdump, analysts apply precise display filters. For example, if an IDS alert indicates a potential exploit attempt against a specific web server, the analyst will filter the PCAP to show only traffic destined for that server's IP address on port 80 or 443 during the specific timeframe of the alert. This reduces the dataset from millions of packets to a manageable few thousand, allowing for deep, manual inspection.

3. Protocol Analysis and Payload Reconstruction

Once the relevant traffic is isolated, the analyst must decode the communication. This requires a deep understanding of network protocols. Is the traffic HTTP, DNS, SMB, or a proprietary C2 protocol?

If the traffic is unencrypted, the analyst can utilize tools to extract files or reconstruct the entire TCP session, reading the exact commands sent by the attacker. They will analyze the HTTP request headers for malicious User-Agent strings, look for base64 encoded payloads in the URI, or extract malicious executables that were downloaded during the session.

4. Correlation and Timeline Reconstruction

Network analysis does not happen in a vacuum. The final phase is correlating the network findings with endpoint logs, firewall alerts, and threat intelligence.

If the network analysis reveals that a machine downloaded a suspicious file at 10:00 AM, the investigator will check the endpoint's antivirus logs and process creation events for that exact minute to determine if the file successfully executed. By combining these disparate data sources, the DFIR team constructs a definitive, minute-by-minute timeline of the attack lifecycle, detailing the initial access vector, the lateral movement pathways, and the final impact.

The network forensics toolkit relies heavily on powerful software capable of parsing complex protocols and handling massive datasets.

Wireshark and TShark

Wireshark is the undisputed industry standard for graphical packet analysis. It allows analysts to open PCAP files, apply complex color-coding rules, construct highly specific display filters, and easily follow TCP/UDP streams to view the entire conversation between two hosts.

TShark is the command-line equivalent of Wireshark. It is utilized by advanced analysts for automated analysis, parsing massive PCAP files in headless environments, and piping the extracted network data into other forensic tools or scripting languages for further processing.

Zeek (Formerly Bro)

Zeek is not an active intrusion prevention system; it is a powerful, passive network analysis framework. While Wireshark is designed for manual, deep-dive analysis of individual packets, Zeek operates at a higher level, interpreting the network traffic and generating highly structured, comprehensive logs.

Zeek automatically parses dozens of complex protocols. It generates specific logs for HTTP connections (detailing the URI, User-Agent, and response codes), DNS queries, SSL/TLS certificates, and file transfers. Instead of manually digging through a massive PCAP in Wireshark, an analyst can simply query Zeek's structured logs to quickly determine, for instance, exactly which domains were requested by a specific IP address during a specific hour.

Security Information and Event Management (SIEM)

In modern enterprise environments, network forensic analysis is heavily integrated into the SIEM (Security Information and Event Management) platform. The SIEM ingests the Flow Data, firewall logs, Zeek logs, and alerts from Intrusion Detection Systems (IDS).

The SIEM acts as the central pane of glass for the analyst. It allows investigators to write complex queries across massive, correlated datasets, rapidly searching for Indicators of Compromise (IOCs) across the entire enterprise network architecture without having to manually parse individual log files.

The greatest modern challenge to Network Forensics is the ubiquitous adoption of encryption. With the vast majority of web traffic utilizing HTTPS (TLS/SSL), the actual payloads of the network packets are mathematically unreadable to the forensic analyst.

If an attacker uses a sophisticated, encrypted C2 channel, the analyst cannot read the commands being sent or extract the files being exfiltrated. However, this does not render network forensics obsolete. Analysts must pivot their focus from analyzing the payload to analyzing the encrypted metadata.

Techniques such as JA3 fingerprinting allow analysts to identify specific malware families or malicious tools based on the unique mathematical characteristics of how they negotiate the TLS connection, without ever needing to decrypt the traffic. Furthermore, analyzing the frequency, size, and timing of the encrypted packets (beaconing analysis) can often reveal the presence of a C2 channel, even if the contents of the communication remain hidden.