Back to BlogsDigital Forensics

Network Forensics — Investigating Cyber Attacks

Anuj Singh (Admin) 31 March 2026 815 views

Network Forensics — Follow the Digital Trail

When a company gets hacked, network forensics analysts reconstruct exactly what happened by analyzing network traffic.

Step 1: Evidence Collection

# Capture live traffic
tcpdump -i eth0 -w evidence.pcap -c 100000

# Collect logs
cp /var/log/syslog /evidence/
cp /var/log/auth.log /evidence/
cp /var/log/apache2/access.log /evidence/

Step 2: Pcap Analysis with Wireshark

# Find suspicious connections
ip.addr == suspected_attacker_ip

# Find data exfiltration
tcp.len > 10000    # Large transfers

# Find DNS tunneling
dns.qry.name contains "suspiciousdomain"

# Find credential theft
http.request.method == "POST"
ftp.request.command == "PASS"

Step 3: Timeline Reconstruction

  1. When did the attacker first connect?
  2. What did they scan?
  3. How did they gain access?
  4. What data did they access/steal?
  5. Did they establish persistence?
  6. Are they still in the network?

Indicators of Compromise (IOC)

  • 🔴 Connections to known malicious IPs
  • 🔴 DNS queries to suspicious domains
  • 🔴 Unusual outbound data volumes
  • 🔴 Beaconing patterns (regular interval callbacks)
  • 🔴 Port scanning activity from internal hosts

Forensics Career

  • Network Forensics Analyst: ₹10-25 LPA
  • Incident Responder: ₹12-30 LPA
  • Threat Hunter: ₹15-40 LPA

🔥 Learn digital forensics at ONLY4YOU →

Want to Learn This Practically?

Subscribe to ONLY4YOU and get hands-on access to 40+ premium courses — Ethical Hacking, Kali Linux, Metasploit, Network Hacking, Bug Bounty & more!

Sign Up & SubscribeRead More Blogs

Continue Learning

← All ArticlesBrowse CoursesAbout ONLY4YOU