Chapter 23 — Key Takeaways
The big idea
On the network, the default state of all evidence is destroyed — and that single fact inverts everything this book taught about disks. Deletion on storage removes a pointer while the bytes persist; a packet, by contrast, exists for microseconds and then is simply gone, with no slack to carve and no journal to replay. So the only network evidence you will ever have is what some sensor decided to write down as the traffic passed. That makes capture coverage the most consequential decision in network forensics — and it is made long before any incident, by whoever designed the monitoring. Your job after the fact is to inventory what was watching, start from the lean-but-long sources to find and bound an event in time, pivot to the rich-but-short sources to characterize it, corroborate across independent records, normalize every clock to UTC, and state each finding with its limits. And because the network's witnesses live on infrastructure the suspect never controls, anti-forensics on the endpoint cannot reach them: the disk can be wiped, but the proxy, DNS, flow, and Zeek records remain.
Where network evidence lives
| Source | Gives you | Retention |
|---|---|---|
| Full packet capture (PCAP) | every byte — content | hours–days (huge) |
| IDS/IPS alerts (Snort/Suricata) | signatures fired — leads | days |
| Zeek logs (conn/dns/http/ssl/files) | structured metadata + file hashes | weeks–months |
| Proxy logs | URLs/CONNECT host, user, bytes | weeks–months |
| DNS logs | names resolved (beacon/DGA/tunnel) | weeks–months |
| Firewall logs | 5-tuple + verdict + bytes | weeks–months |
| NetFlow / IPFIX / sFlow | 5-tuple + counts — metadata only | months+ |
Start at the bottom to locate the event cheaply; climb toward the top only for the window you have to prove.
Capture it like evidence
-s 0is mandatory. A small snaplen clips every packet; the payload past the boundary is gone. Verifyincl_len == orig_len.- Resolve nothing during capture (
-nn); rotate, don't run one giant file (-C/-W/-G, ordumpcap -b). Usepktmonon a Windows host with nothing installed. - The PCAP is the original — hash it the moment capture stops (
capinfos -H), work on copies, log the chain of custody (host, clock/NTP, TAP vs SPAN, times in UTC, snaplen, any filter, hash). - Know the magic bytes:
D4 C3 B2 A1classic µs little-endian,A1 B2 C3 D4big-endian,4D 3C B2 A1nanosecond,0A 0D 0D 0APCAPNG. - Capture filter (BPF) = destructive; display filter (Wireshark) = non-destructive. With authority and storage, capture broadly and narrow later — you can never un-filter what you refused to record.
Content vs metadata — the line that decides law and storage
- Content in transit → the high-bar Wiretap Act (Title III, ECPA). Real-time metadata → Pen Register / Trap-and-Trace. Stored records → Stored Communications Act. Confirm authority with counsel before you capture.
- Flow is metadata only: it proves who, how long, and how many bytes — never what. That is why it is tiny (tens of bytes per conversation) and kept for months while full PCAP (≈10.8 TB/day per saturated 1 Gbps link) survives only hours.
DNS narrates; Zeek structures; alerts are leads
- DNS tells the story: beaconing (low coefficient of variation of inter-arrival times + high count), DGA (high label entropy + NXDOMAIN floods), tunneling (long high-entropy labels,
TXT/NULLfloods to one domain). DoH/DoT blind the DNS log — pivot to TLS SNI and endpoint DNS-client logs. - Zeek is the network's logbook: join every log by the
uid; inconn.log,orig_bytes ≫ resp_bytesis the upload fingerprint,conn_state SFis a clean session, and thehistorystring narrates the connection. - Even TLS leaks the destination: the SNI and the preceding DNS query usually reveal who was contacted. Proxy logs attribute an HTTPS upload to a named user even without reading the payload.
- An IDS alert is a lead, not a finding — corroborate with flow, proxy, Zeek, and any capture before you write a word.
The walls (know your limits)
- Encryption (TLS 1.3, QUIC, ECH) hides content; you can prove N bytes to destination D at time T, not what.
- Coverage: packets never captured are gone; sampled flow misses low-and-slow exfiltration.
- Attribution: an IP is a locator, not a person (NAT/CGNAT, VPN/Tor, shared hosts, spoofing).
- Clock skew corrupts fusion — the clock is evidence; record every source's offset.
You can now…
- ☐ Capture traffic forensically (
tcpdump/dumpcap, full snaplen, no live resolution, rotation), hash it, and document its chain of custody; and recognize PCAP/PCAPNG by magic bytes. - ☐ Distinguish destructive capture filters from non-destructive display filters, and choose full capture vs flow by the content-vs-metadata and storage tradeoff.
- ☐ Analyze a PCAP — follow streams, read conversation statistics for upload asymmetry, and export/hash transferred files.
- ☐ Read DNS for beaconing, DGA, and tunneling; mine firewall, proxy, and Zeek logs (joined by
uid); and turn IDS alerts into corroborated findings. - ☐ Detect exfiltration by stacking signals, fuse a UTC-normalized network timeline with endpoint artifacts, and state the limits encryption, coverage gaps, and IP-not-person impose.
Looking ahead
Chapter 24 — Mobile Device Forensics. The investigation leaves the wire for the pocket: logical, file-system, and physical acquisition; the SQLite databases and plists where iOS and Android keep messages, location, and app data; and why the most personal device a person owns is also the most locked-down. Technology changes; principles don't.
One sentence to carry forward: The wire forgets everything except what a sensor wrote down — so know what was watching, prove only what the records support, and remember that an IP address is a place, not a person.