Network Forensic Analysis: Definition & Purpose | Study.com

What is Network Forensic Analysis?

Network forensic analysis concerns the gathering, monitoring and analyzing of network activities to uncover the source of attacks, viruses, intrusions or security breaches that occur on a network or in network traffic. As such, network forensic analysis is considered alongside mobile forensics or digital image forensics, as residing under the umbrella of digital forensics. It’s not the same, however.

Differences

Network forensic investigations center on data that is volatile or always changing. This is unlike computer forensics, for example, which deals with static data that does not change. Network forensic data is information in motion, so to speak, with data being sent over a network and then erased forever. This means that plans must be put in place before a security incident occurs to grab network data and store it; otherwise, conducting an investigation after the fact is essentially worthless.

Network forensics also differs from other forensics forms, such as disk forensics, in that it involves network logs. Network logs store data about traffic and network usage. Other types of forensics may turn to logs in some scenarios; none depend on event logs like network forensics does.

Purpose

The purpose of network forensic analysis is really quite simple. It is typically used where network attacks are concerned. In many cases, it is used to monitor a network to proactively identify suspicious traffic or an impending attack. On the other side, it is used to collect evidence by analyzing network traffic data in order to identify the source of an attack.

A usual forensic analysis will follow these steps:

  • Identifying a security threat or attack.
  • Collecting and preserving the evidence.
  • Examining the data that has been gathered.
  • Analyzing collected data and creating conclusions from that data.
  • Presenting the conclusions made.
  • Responding to the incident to initiate a clean-up.

These steps are followed in one of two types of network forensic collection methods:

  1. ”Catch it if you can.” This involves gathering all network traffic available and analyzing all of it. This can be a tedious process with a large volume of data to sort through.
  2. ”Stop, look and listen.” This method looks into each data packet on the network, but only grabs those that appear to be suspicious and in need of additional analysis.

Network forensic investigators frequently turn to an intrusion detection system, data collector or packet capture tools to monitor network traffic and extract the data they need.

Business Need

The business need for network forensic analysis is great – just ask Target. They’re certainly not alone. There has been no shortage lately of major businesses enduring security threats and hacks, which requires organizations to be more proactive and prepared to defend against cyber criminals. Marriott, Yahoo, Equifax, eBay, Home Depot and Uber, among others have found themselves the victim of cyber attacks.

These security threats come from computer-savvy criminals who can exploit the smallest network vulnerability – even an unsuspecting employee – and wreak havoc on your systems, finances and even your reputation.

The computer company, Dell, is one example of the business need for quality network forensic analysis. In late 2018, the company noticed suspicious traffic on its network and determined that hackers were trying to gain access to customer data. Dell was able to recognize the attempt and employ countermeasures to halt the breach in its tracks. The incident cost them some money – hiring an outside firm to investigate the incident – and some aggravation – asking customers to change their passwords just in case, but the alternative could’ve been much more problematic for the company and its loyal consumers.

Lesson Summary

Network forensic analysis concerns the gathering, monitoring and analyzing of network activities to uncover the source of attacks, viruses, intrusions or security breaches that occur on a network or in network traffic. It differs most significantly from other forms of digital forensics in that it is concerned with volatile data, requiring a more proactive approach to handling. It also more readily uses network logs compared to other type of digital forensics. The purpose of network forensic analysis is to monitor network traffic to prevent an attack and to collect evidence afterward to identify the source of an attack.