NF0.12 Module Summary

Module Summary — The Network Evidence Landscape

This module established the foundation for every module that follows. Here's what you covered and what it means for the investigations ahead.

What You Learned

Why network evidence matters (NF0.1). Four investigation scenarios where network evidence is the only evidence that survives: encrypted disks, cleared logs, fileless attacks, and timeline gaps. Network forensics completes the investigation that endpoint evidence alone can't close. The investigation coverage model: endpoint tells you what happened on the system, identity tells you who was involved, network tells you what crossed the wire.

The five evidence types (NF0.2). Full PCAP (everything, expensive), Zeek metadata (structured logs, best investigation value per byte), IDS alerts (fast detection, limited scope), NetFlow (connection volumes, scales to any network), and DNS logs (always start here). The storage-vs-detail tradeoff: PCAP is ~1 TB/day at 1 Gbps, Zeek metadata is ~10-15 GB/day.

The NSM philosophy (NF0.3). Collect before the incident — reactive capture can't travel backward in time. Three data categories: full content, extracted content, session/transaction. Four failure modes to avoid: deploy-and-forget, alert-only monitoring, no baseline, retention mismatch.

The investigation methodology (NF0.4). Six steps: Scope → Identify → Correlate → Reconstruct → Attribute → Report. Start with metadata (dns.log, conn.log), narrow to specific sessions, only drop to packet-level analysis when required. Community ID links Zeek and Suricata evidence for the same session.

The toolchain (NF0.5). Zeek for metadata generation and investigation queries. Suricata for signature detection. Wireshark/tshark for targeted PCAP analysis. zeek-cut/jq for log processing. Arkime for enterprise PCAP. NetworkMiner for object extraction. Each tool maps to specific methodology steps.

Normal vs malicious traffic (NF0.6). Six baseline dimensions: volume, timing, destination, protocol, duration, directionality. Per-host baselines built from Zeek conn.log. Pattern recognition for C2 beacons, DNS tunneling, and exfiltration.

Network architecture for investigators (NF0.7). Four sensor positions: egress (external traffic), DMZ (public services), core (lateral movement), server VLAN (high-value targets). Cloud visibility limitations. First sensor at the egress, second at the core.

Northgate Engineering scenarios (NF0.8). Five incidents threading through the course: AiTM/BEC (DNS, TLS, HTTP), ransomware (SMB, C2, NetFlow), SSH brute force (SSH, conn patterns), K8s escape (API, Tor), and the capstone (all evidence types).

Evidence integrity and legal context (NF0.9). Hash PCAPs on capture, work on copies, document chain of custody. NTP synchronisation is the most critical integrity requirement. UK legal framework for corporate network monitoring.

What Comes Next

NF1 — Building Your NSM Sensor. You build the Zeek and Suricata sensor that you'll use for the rest of the course. By the end of NF1, you'll have a working sensor VM, validated against test traffic, ready for the protocol analysis modules.

NF2 — PCAP Acquisition and Management. Capture strategies, BPF filters, PCAP file management, and evidence-grade capture procedures.

NF3–NF7 — Protocol Analysis. Each module takes one protocol family and teaches you to investigate it: DNS (NF3), HTTP/HTTPS (NF4), SMB/Windows (NF5), SSH/tunneling (NF6), email (NF7).

NF8–NF11 — Detection and Hunting. Suricata rule writing, C2 beacon detection, NetFlow analytics, and network threat hunting.

NF12–NF14 — Integration and Capstone. Correlating network and endpoint evidence, production NSM architecture, and the INC-NE-2026-0830 capstone investigation.