Because network forensics can be performed for many purposes with dozens of data source types, analysts may use several different tools on a regular basis, each well-suited to certain situations. Analysts should be aware of the possible approaches to examining and analyzing network traffic data and should select the best tools for each case, rather than applying the same tool to every situation.
My tool of choice is Wireshark because it has an intuitive interface easy to navigate.
Introduction
Network forensics is the analysis of data in motion, with specific emphasis on collecting evidence through a mechanism that encourages the identification of the culprit. This implies that the quality of the data is paramount, as is the legality of the method of processing. Network forensics is closely similar to the detection of network intrusion: the distinction is that the former is legal-oriented, and the latter is focused on operations.
Through network forensics, it is possible to retrieve the entire content of e-mails, IM conversations, web browsing operations, and file transfers from network equipment and restore them to expose the original transaction.
