Sign In
In this module

NF0.1 Why Network Evidence Matters

8 hours · Module 0 · Free
What you already know

You investigate incidents on endpoints. You know how to read an event log, trace a process tree, parse registry artifacts, and scope an attack from EDR telemetry. You've probably used Wireshark to look at a packet capture, maybe filtered by IP or protocol. This sub builds on that baseline — it's not going to teach you what a packet is. What it does is reframe where your current host-based methodology reaches its limits and why the network is the evidence source that fills the gaps.

Operational Objective

Incident response training still treats network evidence as supplementary. You're taught to collect with KAPE, parse with EZ Tools, query with KQL, and scope the investigation from endpoint telemetry. That approach works when the attacker left artifacts on disk. In 2026, the attacks that matter most are the ones that didn't.

Ransomware encrypts the disk you needed to examine. The attacker clears the event logs you needed to read. Memory-only payloads leave no file for your timeline. But every one of those attacks communicated over the network — the C2 beacon phoned home, the exfiltration transferred data, the lateral movement traversed SMB or SSH, and the initial access started with a DNS query to a domain that didn't exist two days ago. The network saw all of it. If your methodology doesn't include network evidence, you are investigating with a structural blind spot.

This sub establishes why network forensics isn't a specialist niche — it's a core investigation competency. You'll understand the four investigation scenarios where network evidence is the only evidence that survives, and where this course fits in the DFIR methodology you already practice.

Deliverable: The four investigation scenarios where network evidence is decisive, the relationship between network and endpoint evidence in a complete investigation, and a clear understanding of what this course builds that the Wireshark skill and existing IR content don't cover.

Estimated completion: 30 minutes
FOUR SCENARIOS WHERE NETWORK EVIDENCE IS DECISIVE Disk Destroyed Ransomware encrypted Wiper deployed System reimaged before IR Network: PCAP + Zeek logs survive independently Logs Cleared Event logs wiped Syslog overwritten Audit trail tampered Network: conn.log recorded every connection Fileless Attack In-memory payload only No disk artifact to find EDR sees process, not data Network: C2 beacon visible in conn.log and ssl.log Timeline Gap Disk timestamps unreliable Timestomping detected Log rotation lost history Network: conn.log provides independent timeline THE INVESTIGATION COVERAGE MODEL Endpoint (IR/WF/ES): What happened ON the system — processes, files, registry, event logs, memory Identity (EI): Who authenticated and what they accessed — sign-in logs, tokens, conditional access Network (NF): What crossed the wire — connections, DNS, protocols, data transfers, C2 channels Complete investigation = endpoint + identity + network. This course builds the third leg.

Figure NF0.1 — Four scenarios where network evidence is the only evidence that survives, and the investigation coverage model. Endpoint forensics tells you what happened on the system. Identity forensics tells you who authenticated. Network forensics tells you what crossed the wire. A complete investigation needs all three.

When Endpoint Evidence Fails

The four scenarios below are the cases where your current methodology hits a wall. They're not edge cases — they're the incidents that reach the CISO's desk because the investigation couldn't answer the critical question from endpoint evidence alone.

Every investigation starts with the same question: what happened? The endpoint tells you what happened on the system — which processes ran, which files changed, which registry keys were modified. The identity layer tells you who authenticated and what they accessed. But neither tells you what the attacker's infrastructure looked like, how much data left the network, what C2 channel maintained their access, or which external domains were involved.

The network answers those questions because the network was the medium. The attacker's commands traveled over it. The exfiltrated data traveled over it. The phishing URL resolved through it. The C2 beacon checked in through it. And unlike disk artifacts, network evidence is often recorded on a separate system — your NSM sensor, your firewall, your proxy logs — that the attacker didn't compromise and couldn't modify.

Scenario 1 — The encrypted disk

The ransomware hit FIN01-NGE at 06:00 UTC on April 18, 2026. By the time the SOC responded at 06:45, the ERP database was encrypted and the attacker's note demanded 50 BTC. The disk is useless for forensics — every file the investigator needs is behind AES-256 encryption the attacker controls.

But the network saw everything that preceded the encryption. Three days of PsExec lateral movement from IT03-NGE. The rclone binary transferring 47 GB to a Tor relay at 185.193.125.44. The Cobalt Strike beacon checking in every 60 seconds with 10% jitter to a domain-fronted HTTPS endpoint. The DNS queries that resolved the attacker's staging infrastructure. The SMB share mapping that connected the attacker to the file server where they staged the data before exfiltrating it.

The disk is gone. The network evidence reconstructs the entire three-day attack chain.

Scenario 2 — The cleared logs

The attacker ran wevtutil cl Security on every compromised host before disconnecting. The Windows Event Logs that would have shown the authentication timeline, the process creation events, the service installations — all gone. The attacker knew what the IR team would look for and deleted it.

But Zeek's conn.log recorded every TCP and UDP connection those hosts made during the attacker's dwell time. The dns.log recorded every domain resolution. The ssl.log recorded every TLS handshake, including the certificate details of the C2 server. The Suricata alerts recorded the PsExec service installation traffic pattern. None of this data was on the compromised hosts — it was on the NSM sensor, which the attacker never touched.

The logs are cleared. The network metadata tells the same story from a different angle.

Scenario 3 — The fileless attack

The attacker's entire toolkit runs in memory. A PowerShell download cradle pulls a .NET assembly directly into the CLR. No file touches the disk. No Prefetch entry. No AmCache record. No MFT entry. The EDR sees powershell.exe making network connections, but the payload is in memory — the EDR's process telemetry shows the connection but not the content.

The network shows what the EDR can't — the full URL of the download cradle, the TLS fingerprint of the C2 server, the beacon pattern that identifies the framework (Cobalt Strike's default JA3 hash is well-documented), and the data that was exfiltrated. The attacker avoided the disk. They couldn't avoid the wire.

Scenario 4 — The timeline gap

The investigation needs to answer: when did the compromise start? Disk timestamps say the first malicious file appeared on March 15. But the attacker used timestomping — the $STANDARD_INFORMATION timestamps on the malware binary were modified to match a legitimate system file from 2024. The $FILENAME timestamps in the MFT show March 15, but you can't be sure the attacker didn't manipulate those too.

The network provides an independent timeline. The dns.log shows the first DNS query to the attacker's C2 domain on March 12 — three days before the earliest disk artifact. The conn.log shows the first connection to the C2 IP on March 12 at 14:22 UTC. This timestamp came from the NSM sensor's system clock, not from the compromised host. The attacker can timestomp files on the endpoint. They can't reach back in time and modify the conn.log entry on a sensor they don't control.

Network Evidence as the Third Leg

Network forensics doesn't replace endpoint investigation — it completes it. The practitioner who can work both evidence sources reconstructs attack chains that either source alone can't reveal.

If you've worked through the Practical IR course on this platform, you've investigated incidents from the endpoint — registry artifacts, event logs, Prefetch, AmCache, KQL queries against Defender XDR telemetry. If you've worked through the Linux IR course, you've done the same from auth.log, /proc, cron, and container forensics. If you've worked through Entra ID Security, you've traced identity attacks through sign-in logs, conditional access evaluation, and OAuth consent chains.

Every one of those courses has moments where the investigation reaches a boundary: the endpoint tells you a connection was made but not what data was transferred. The sign-in log tells you the authentication happened but not what the session was used for at the network level. The event log tells you PsExec was installed but not how much data the attacker moved through the SMB share it opened.

Network forensics lives at those boundaries. When you see DeviceNetworkEvents showing a connection to an external IP in Defender XDR, this course teaches you to find that same connection in Zeek's conn.log and trace it to its DNS resolution, its TLS certificate, its data volume, and its behavioral pattern. When you see an authentication in the sign-in log, this course teaches you to find the corresponding network session and determine what the authenticated user actually did across the wire.

The investigation coverage model works like this: endpoint forensics tells you what happened on the system. Identity forensics tells you who was involved. Network forensics tells you what crossed the wire — the connections, the protocols, the data transfers, and the attacker's infrastructure. A complete investigation needs all three.

What This Course Builds

This isn't a Wireshark tutorial. The existing Wireshark skill on this platform covers display filters and basic protocol analysis. This course starts where that skill ends.

The course builds three capabilities that the existing Ridgeline content doesn't cover:

The first capability is network security monitoring architecture. Where do you place sensors to capture the traffic you need? How do you configure Zeek and Suricata to produce the logs that answer investigation questions? How much storage do you need for full-packet capture at your network's throughput? What happens when you can't decrypt TLS traffic — what can you still see? These are architectural decisions that determine whether network evidence exists when you need it. Module NF1 builds this from scratch — you'll set up a sensor VM that you use for the entire course.

The second capability is protocol-level investigation. Every paid module in this course takes a specific protocol or technique — DNS, HTTP/HTTPS, SMB, SSH, email — and teaches you to distinguish normal traffic from attack traffic. Not at the "this packet has a suspicious payload" level. At the level of: what does a normal DNS query pattern look like for this organization, and what does DNS tunneling look like in comparison? What does legitimate SMB authentication produce, and what does PsExec lateral movement produce? What does a normal TLS handshake look like, and what does a Cobalt Strike beacon's JA3 fingerprint tell you?

The third capability is network-based detection and hunting. Writing Suricata rules that detect specific attack patterns. Building hunting queries in Zeek logs that find C2 beacons by their timing characteristics. Analyzing NetFlow data for exfiltration indicators. Profiling encrypted traffic by its connection behavior when you can't read the content. These are the skills that find attacks before the incident report lands on your desk.

Guided Procedure — Assessing Your Current Network Evidence Gap
Step 1. List the evidence sources you currently use in a typical investigation.
Expected output: Most practitioners list: Windows Event Logs, EDR telemetry, registry artifacts, file system artifacts, authentication logs, and possibly memory captures. Few list PCAP, Zeek logs, or NetFlow.
If you already use Zeek/Suricata: You're ahead of most teams. This course will deepen your methodology and introduce techniques you may not have encountered — JA4+ fingerprinting, Community ID correlation, Zeek scripting for automated detection.
Step 2. For your last three investigations, identify one question you couldn't answer from endpoint evidence alone.
Expected output: Common gaps: "How much data was exfiltrated?" "What was the C2 channel?" "When did the attacker first connect?" "What other systems communicated with the attacker's IP?" — all answerable from network evidence.
If you can't identify gaps: Either your investigations are unusually complete, or you're not asking the questions that network evidence answers. The investigation methodology in NF0.4 will make these gaps visible.
Step 3. Determine whether your organization currently captures any network evidence — PCAP, Zeek logs, Suricata alerts, NetFlow, or proxy logs.
Expected output: Many organizations have some network evidence (firewall logs, proxy logs) but don't have an NSM sensor producing Zeek metadata or full-packet capture. This course teaches you to work with whatever you have and to build the case for what you need.
If your organization captures nothing: The course still works. Every module uses pre-captured PCAP files and Zeek logs from the Northgate Engineering scenarios. You'll learn the methodology on the lab data and build the business case for deploying NSM sensors in your environment.
Decision point

You're presenting an incident report to the CISO after a ransomware attack. The endpoint investigation established the initial compromise (phishing email), the credential theft (mimikatz on IT03-NGE), and the ransomware deployment (LockBit via scheduled task on FIN01-NGE). The CISO asks: "How much data did they take before they encrypted us?"

Your endpoint investigation can't answer this question. The file system is encrypted. The event logs were cleared before encryption. The EDR shows outbound connections from FS01-NGE to an external IP but doesn't record data volumes. You know the attacker had access to the file server for 48 hours before encryption, but you don't know what they did with that access.

If you had Zeek conn.log data, you'd see every connection from FS01-NGE to external IPs during the 48-hour window — including the originator bytes and responder bytes for each connection. You'd see the 12.1 GB transfer to 185.193.125.44 over port 443. You'd see the rclone user-agent string in the HTTP headers. You'd have the answer to the CISO's question: 12.1 GB, transferred to a Tor relay over 32 minutes, starting at 03:00 UTC on April 18.

The decision: do you investigate with the evidence you have and leave the exfiltration question unanswered, or do you build the capability to answer it next time? This course builds that capability.

Compliance Myth: "Our firewall logs give us the same visibility as a network security monitoring sensor"

Firewall logs record permit/deny decisions — source IP, destination IP, port, action. They don't record what happened inside the permitted connections. A firewall log tells you that DESKTOP-NGE042 connected to 203.0.113.88 on port 443 and the connection was permitted. It doesn't tell you the TLS certificate was self-signed, the JA3 fingerprint matched Cobalt Strike, the connection lasted 6 hours with 60-second beacon intervals, or that 2.3 GB of data was transferred outbound.

Zeek's conn.log records the connection duration, originator and responder byte counts, connection state, and Community ID for cross-tool correlation. Zeek's ssl.log records the TLS version, cipher suite, certificate chain, JA3 hash, and server name indication. Zeek's dns.log records every DNS query and response. Suricata inspects the traffic content and fires alerts on known malicious patterns.

Firewall logs tell you a door was opened. NSM sensors tell you what walked through it.

Next
NF0.2 — The Five Network Evidence Types. You've established why network evidence matters. NF0.2 gives you the taxonomy — the five categories of network evidence that structure every module in this course, what each captures, what each misses, and when you use each.
Try it: Map an investigation to network evidence

Setup. Think of an incident you've investigated (or use the INC-NE-2026-0418 ransomware scenario described above if you haven't worked a real case).

Task. For each phase of the attack chain — initial access, execution, persistence, lateral movement, collection, exfiltration — identify which network evidence source would provide visibility. Write down the specific Zeek log or PCAP analysis that would answer the investigation question for each phase.

Expected result. A mapping like: initial access → dns.log (phishing domain resolution) + http.log (URL visited); lateral movement → conn.log (SMB connections between hosts) + smb_files.log (files transferred); exfiltration → conn.log (data volumes to external IPs) + ssl.log (TLS fingerprint of exfil channel). You should be able to map at least 4 of the 6 phases to a specific network evidence type.

Debugging branch. If you can't map the phases: you're not expected to know the specific Zeek log names yet — that's what NF0.2 covers. For this exercise, think in categories: "I'd need to see the DNS queries" (dns.log), "I'd need to see the connections" (conn.log), "I'd need to see what was transferred" (files.log or PCAP). The specifics come in the next sub.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. Name the four investigation scenarios where network evidence is decisive and explain why endpoint evidence fails in each. (§ When Endpoint Evidence Fails)
2. Explain the investigation coverage model — what endpoint, identity, and network forensics each contribute to a complete investigation. (§ Network Evidence as the Third Leg)
3. Articulate the difference between firewall logs and NSM sensor output, and why the distinction matters for investigation. (§ Compliance Myth)
Operational Artifact — Network Evidence Decision Matrix

Use this reference to determine which network evidence source answers each investigation question. The matrix applies to every investigation where network evidence is available — keep it alongside your existing triage checklist.

"When did the attacker first connect?" Check Zeek conn.log for the earliest connection to the attacker's IP or domain. Cross-reference with dns.log for the first DNS query to the attacker's infrastructure. The conn.log timestamp comes from the sensor's clock, not the compromised host — it's an independent timeline.

"How much data was exfiltrated?" Check Zeek conn.log for originator bytes and responder bytes on connections to external IPs during the attacker's dwell time. For encrypted exfiltration, the byte counts show volume even when you can't read the content. For unencrypted protocols, extract files from PCAP with Wireshark or NetworkMiner.

"What was the C2 channel?" Check Zeek ssl.log for TLS certificates and JA3/JA4 fingerprints. Check conn.log for connection patterns — beacon interval, jitter, duration. Check dns.log for DNS-based C2 indicators (high-entropy subdomain queries, TXT record abuse). Suricata alerts may flag known C2 signatures.

"What lateral movement occurred?" Check Zeek conn.log for internal-to-internal connections on SMB (445), RDP (3389), SSH (22), WinRM (5985/5986). Check smb_files.log for file transfers over SMB shares. Check Suricata alerts for PsExec service installation signatures.

"What was the initial access vector?" Check Zeek dns.log for queries to newly-registered or suspicious domains around the time of first compromise. Check http.log for URLs visited from the first compromised host. Check smtp.log for inbound phishing emails if you capture mail traffic.

Document the evidence sources you check and what you find in each — even negative results ("dns.log showed no queries to the reported IOC domain") are investigatively valuable because they narrow the scope.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the sensor and mapped the evidence landscape.

NF0 established why network evidence matters when every other source is compromised. NF1 built your Zeek + Suricata sensor with the 10 investigation query patterns. From here, every module teaches protocol-specific investigation against real attack scenarios.

  • DNS deep dive (NF3) — tunnelling detection, DGA analysis, passive DNS infrastructure mapping, and the INC-NE-2026-0227 AiTM phishing DNS trail
  • Protocol analysis (NF4–NF7) — HTTP/HTTPS, SMB lateral movement, SSH tunnelling, and email protocol investigation with Zeek metadata and PCAP
  • Detection and hunting (NF8–NF11) — Suricata rule writing, C2 beacon detection with JA3, NetFlow analytics, and proactive network threat hunting
  • NSM architecture (NF13) — production sensor deployment at 1–10 Gbps with Arkime, Security Onion, and enterprise storage planning
  • INC-NE-2026-0830 capstone (NF14) — multi-stage investigation using only network evidence: phishing → domain-fronted C2 → lateral movement → DNS tunnel exfiltration
Unlock the full course with Premium See Full Syllabus

Cancel anytime

← Previous Next →