Network Forensics

Question 1

The process of capturing, recording, and analyzing network events to discover the source of security incidents.

Answer 1

Network forensics

Question 2

A detailed copy of all packets transferred across a network used for forensic analysis.

Answer 2

Packet capture (PCAP)

Question 3

A tool used for capturing and analyzing live network traffic at the packet level.

Answer 3

Wireshark

Question 4

The process of reviewing and interpreting traffic after it has been recorded.

Answer 4

Offline network traffic analysis

Question 5

A log that summarizes communication between devices by showing IPs, ports, byte counts, and durations.

Answer 5

NetFlow log

Question 6

A forensic approach that identifies anomalies in the volume or direction of network traffic.

Answer 6

Traffic pattern analysis

Question 7

The technique of tracing traffic to its origin by following packet paths across devices.

Answer 7

Network trace route

Question 8

A protocol analyzer that provides low-level details of network communications.

Answer 8

Packet sniffer

Question 9

The term for a complete, raw copy of all traffic on a network segment.

Answer 9

Full packet capture

Question 10

A type of capture that records only metadata (e.g., headers), not the packet payload.

Answer 10

Header capture

Question 11

The practice of examining DNS logs to identify malicious domain queries.

Answer 11

DNS forensics

Question 12

A tool that provides behavioral alerts by comparing traffic against a baseline.

Answer 12

Anomaly-based NIDS

Question 13

A system that passively monitors network traffic for signs of suspicious activity.

Answer 13

Intrusion Detection System (IDS)

Question 14

A network-based system that can block malicious traffic in real time.

Answer 14

Intrusion Prevention System (IPS)

Question 15

The process of identifying and reconstructing application-level content from packet captures.

Answer 15

Protocol decoding

Question 16

A system used to correlate logs from various sources including firewalls, routers, and endpoints.

Answer 16

Security Information and Event Management (SIEM)

Question 17

The type of evidence that network logs and PCAPs represent in a legal investigation.

Answer 17

Digital evidence

Question 18

A key principle that ensures evidence is not altered during analysis.

Answer 18

Chain of custody

Question 19

The term for viewing sessions and conversations in order to reconstruct attacker activity.

Answer 19

Session reconstruction

Question 20

A traffic type that is considered a red flag in network forensics when using unusual ports.

Answer 20

Protocol misuse

Question 21

The process of extracting files or payloads from network packet captures.

Answer 21

Data carving

Question 22

Logs generated by security appliances such as firewalls, routers, and proxies.

Answer 22

Perimeter device logs

Question 23

A source of logs that show connection attempts and traffic direction between hosts.

Answer 23

Firewall logs

Question 24

Logs that help identify abnormal login times, failed attempts, or session hijacking.

Answer 24

Authentication logs

Question 25

A file type commonly used to store and share captured packets.

Answer 25

.pcap file

Question 26

A method used to identify large data transfers that could indicate exfiltration.

Answer 26

Bandwidth analysis

Question 27

The practice of matching a known IOC (IP, hash, domain) with traffic data.

Answer 27

Threat intelligence correlation

Question 28

The challenge of analyzing encrypted traffic without visibility into payloads.

Answer 28

TLS/SSL inspection limitation

Question 29

A tool or device that duplicates traffic to a separate monitoring port for analysis.

Answer 29

Network TAP (Test Access Point)

Question 29

The area where logs are centralized and archived for long-term forensic review.

Answer 29

Log aggregation platform

Question 30

The ability to identify who performed an action and when, using network logs.

Answer 30

Attribution

Question 31

Technique used to detect traffic going to known C2 infrastructure.

Answer 31

C2 beacon detection

Question 32

Evidence of periodic, consistent external connections from infected hosts.

Answer 32

Beaconing behavior

Question 33

A sign of internal scanning where one host sends SYN packets to multiple internal devices.

Answer 33

Lateral movement attempt

Question 34

Log evidence showing repeated connection attempts to a closed port.

Answer 34

Port scanning

Question 35

Protocol often analyzed in forensics to find user credentials or commands in plaintext.

Answer 35

FTP or Telnet

Question 36

A forensic red flag when a non-web protocol runs over port 80 or 443.

Answer 36

Protocol tunneling

Question 37

Activity showing large outbound traffic to an unusual country or IP.

Answer 37

Data exfiltration

Question 38

A timeline of network events that correlates attacker behavior across systems.

Answer 38

Incident timeline reconstruction

Question 39

The final step of a forensic investigation where a report is delivered to stakeholders.

Answer 39

Findings documentation