Chapter 4, Collecting Network Evidence, explored how incident responders and security analysts are able to acquire network-based evidence for later evaluation. That chapter focused on two primary sources of that evidence, network log files and network packet captures. This chapter will show which tools and techniques are available to examine the evidence acquired. Incorporating these techniques into an incident response investigation can provide incident response analysts with insight into the network activity of possible threats. In this chapter, the following main topics will be addressed:

• Network evidence overview: Adversaries are bound to the same network protocols that govern normal network traffic. Adversarial techniques that can be identified with the proper analysis of network data are addressed.
• Analyzing firewall and proxy logs: Adversaries need to make initial and continued connections to their infrastructure. Network devices such as firewalls and proxies may provide a source of evidence from log files.
• NetFlow: NetFlow describes the data about connections between devices in the network. Used primarily to troubleshoot connectivity and bandwidth issues, NetFlow can be used by responders to gain insight into the movement of data in relation to an incident.
• Packet captures: One of the best sources of evidence during an incident is packet captures. Dissecting them can uncover data exfiltration, exploits, and command and control.