Master expert-level network forensic investigation — understanding why PCAP evidence is tamper-resistant while disk evidence is not, using NetFlow to detect lateral movement patterns invisibly, identifying encrypted Cobalt Strike C2 via JA3 TLS fingerprinting without decrypting traffic, extracting exfiltrated files from unencrypted PCAP, quantifying beacon intervals statistically, and correlating all network evidence sources into a complete multi-stage attack timeline.
Network Forensics
Network forensics is the capture, recording, and analysis of network packets to reconstruct a multi-stage attack from raw traffic. Where endpoint forensics shows what happened on a single system, network forensics shows how attackers moved between systems, what data was exfiltrated, and what C2 communications occurred — often even when endpoint evidence has been deliberately destroyed.
Expert network forensics goes beyond Wireshark display filters. It involves reconstructing attack timelines from full PCAP files, identifying encrypted C2 traffic through behavioural analysis and TLS fingerprinting, extracting transferred files and credentials from captured packets, and correlating network evidence with endpoint and identity logs to produce the authoritative incident timeline.
Why Network Forensics Survives Endpoint Tampering
A sophisticated attacker who knows they've been detected will attempt to destroy evidence: clear event logs, delete malware binaries, wipe bash history, and overwrite free disk space. All of this is possible when the attacker has admin access to the endpoint. None of it touches network captures made at a passive TAP or SPAN port that the attacker has no knowledge of or access to. This asymmetry — attackers can tamper with endpoints but not with properly positioned network captures — is why network forensics is an irreplaceable part of advanced IR even when endpoint evidence is comprehensive.
Imagine a building where a thief has committed a crime and is now trying to cover their tracks. They can shred documents in the office (disk evidence), erase the internal security camera footage (log tampering), and remove their fingerprints from surfaces (malware deletion). But they cannot retroactively remove their image from the external security cameras operated by the building across the street — cameras they don't know about and have no access to. Network forensics is that external camera. A passive network TAP captures every packet crossing the wire. The attacker inside the building cannot reach outside to erase what has already been recorded by an observer they cannot access.
Network Evidence Types
Full PCAP Every byte of every packet -- maximum detail, high storage cost NetFlow/IPFIX Metadata only (src, dst, port, bytes, duration) -- scalable, weeks of retention DNS logs Every query and response -- reveals C2 domains, tunnelling, NX domains Proxy logs HTTP/HTTPS with TLS inspection -- URLs, user agents, content type, response code Firewall logs Allow/deny decisions with ports and protocols IDS/IPS logs Signature matches against traffic -- known attack patterns
Network Forensics in Practice
NetFlow shows connections between internal hosts without capturing content. Lateral movement appears as a source host connecting to many internal destinations on administrative ports in rapid sequence.
# NetFlow from CORP-WS-044 (patient zero, jsmith) after compromise: 02:14:01 CORP-WS-044 -> CORP-WS-021:445 SMB Success (lateral hop 1) 02:14:33 CORP-WS-044 -> CORP-WS-033:445 SMB Success (lateral hop 2) 02:15:01 CORP-WS-044 -> CORP-SRV-01:445 SMB Success (member server) 02:15:44 CORP-WS-044 -> CORP-DC-01:445 SMB Success (domain controller!) 02:16:12 CORP-WS-044 -> 10.0.0.0/8:445 SMB Mixed (subnet sweep) # Sequential SMB to internal hosts from one source at 2am = attacker lateral movement # DC targeted within 2 minutes of patient zero compromise = rapid, skilled operator
JA3 fingerprints the TLS ClientHello parameters to identify the tool making the connection — Cobalt Strike and other C2 frameworks have known JA3 signatures, detectable even in encrypted traffic.
# Extract JA3 hash from PCAP for suspicious connection: ja3 -j capture.pcap | jq '.[] | select(.ip=="185.220.101.45")' "src_ip": "10.0.1.55", "dst_ip": "185.220.101.45", "ja3": "51c64c77e60f3980eea90869b68c58a8" # JA3 hash lookup in threat intelligence database: JA3 51c64c77e60f3980eea90869b68c58a8 = Cobalt Strike default malleable C2 profile # Confirmed: Cobalt Strike C2 traffic -- even though all HTTPS content is encrypted # The TLS handshake parameters (cipher suites, extensions, elliptic curves) are unique to CS
When data is exfiltrated over unencrypted protocols, Wireshark and NetworkMiner can reconstruct and export the complete files that were transferred — confirming exactly what was stolen.
# Wireshark: File > Export Objects > HTTP (or SMB, FTP) Exported files from capture: employees.csv (2.1 MB) 10.0.1.55 -> 185.220.101.45 POST /upload financials.xlsx (4.8 MB) 10.0.1.55 -> 185.220.101.45 POST /upload passwords.txt (12 KB) 10.0.1.55 -> 185.220.101.45 POST /upload # tshark exfiltration timeline and volume: 03:14:01 to 03:44:22 -- 6.9 GB transferred in exactly 30 minutes Transfer rate: 3.8 MB/s sustained -- automated exfiltration tool, not manual
Malware beacons at regular intervals. Statistical analysis of connection timing reveals the beacon interval and distinguishes automated malware from irregular human-generated traffic.
# Extract connection timestamps to suspicious IP and compute inter-arrival times: tshark -r capture.pcap -Y "ip.dst==185.220.101.45" -T fields -e frame.time_epoch | \ awk 'NR>1{print $1-prev} {prev=$1}' | sort | uniq -c | sort -rn 847 300.0 (847 connections exactly 300 seconds apart) 3 299.8 2 300.2 # Machine-precision 300-second interval = Cobalt Strike default beacon # Human activity would show variance of ±minutes, not ±milliseconds # This statistical regularity is impossible to fake at this precision with human behaviour
Correlating network evidence from all sources builds the complete multi-stage attack timeline — each data source filling gaps left by the others.
Network Forensics Timeline -- INC-2026-047 09:23:44 [PROXY] payload.exe downloaded from malicious-site.xyz (HTTP 200, 2.4 MB) 09:26:18 [FIREWALL] C2 established: 10.0.1.55 -> 185.220.101.45:443 09:26:18+ [NETFLOW] 300s beacon interval begins (JA3 confirmed: Cobalt Strike) 02:14:01 [NETFLOW] SMB lateral movement sweep begins from 10.0.1.55 02:15:44 [NETFLOW] DC01 targeted via SMB (domain controller -- critical scope) 03:14:01 [FIREWALL] Exfiltration begins: 6.9 GB to 185.220.101.45 03:44:22 [FIREWALL] Exfiltration complete (30-minute automated transfer) 04:01:03 [NETFLOW] C2 beacon stops (attacker disconnects or rotates C2)
What You Need to Know
When to Use Each Network Evidence Type
| Source | Best For | Limitations | Retention Challenge |
|---|---|---|---|
| Full PCAP | File extraction, credential capture in cleartext, exact payload analysis, beacon timing at millisecond precision | Encryption defeats content analysis; massive storage cost limits retention window | 10 Gbps = ~1 TB/hour — typically 24-72 hours retained for full-speed links |
| NetFlow/IPFIX | Lateral movement patterns, large-scale connection mapping, historical analysis weeks back, exfiltration volume | No content — cannot see payload, cannot extract files, cannot identify protocol beyond port | Highly scalable — weeks of retention at enterprise scale at low cost |
| DNS logs | C2 domain discovery, DNS tunnelling detection, DGA (domain generation algorithm) detection, NXDomain spikes | DNS over HTTPS (DoH) bypasses traditional DNS logging; requires query-level logging enabled | Moderate — typically days to weeks depending on query volume |
| Proxy logs | HTTP/HTTPS URL analysis (with TLS inspection), user agent fingerprinting, content type anomalies, download size spikes | Requires TLS inspection capability for HTTPS content; traffic not routed through proxy is invisible | High scalability — typically weeks with structured log storage |
| IDS/IPS logs | Known attack pattern confirmation, rapid triage of flagged traffic, threat intel correlation | Only catches known signatures — novel/customised C2 evades. High false positive rate without tuning. | Moderate — events only, not raw traffic |
Analysing Encrypted C2 Without Decryption
The majority of modern malware C2 uses HTTPS — encrypting the payload and making content-based detection impossible without TLS inspection. Network forensics has developed multiple techniques to detect and characterise encrypted C2 traffic without requiring decryption, based on the observable metadata that encryption cannot hide.
Connection timing: The exact intervals between connections are visible even when content is encrypted. 300.000-second intervals are machine-generated regardless of whether packets are encrypted.
Packet size distributions: C2 beacon traffic has characteristically small, regular packets in one direction (heartbeat) with larger responses (tasking). This asymmetry is visible in NetFlow even without content.
TLS handshake parameters (JA3): The ClientHello message is transmitted before encryption begins and contains negotiation parameters that uniquely identify the TLS library and tool being used.
Certificate characteristics: Cobalt Strike's default certificate uses specific Subject fields and validity periods (often self-signed with default organisation names) that are visible in the TLS handshake.
JA3: Computed from the ClientHello: SSLVersion, Ciphers, Extensions, EllipticCurves, EllipticCurvePointFormats. MD5-hashed to a 32-character fingerprint. Known C2 frameworks have stable, known JA3 values.
JA3S: The server-side equivalent — computed from the ServerHello. Matching JA3 + JA3S pair uniquely identifies both the C2 client and the C2 server software, even when both parties are using encryption.
Malleable C2 profiles: Cobalt Strike supports "malleable C2" profiles that can change its JA3 to impersonate common software (Chrome, Firefox). Advanced threat actors may do this. JA3 alone is not sufficient — combine with timing, certificate analysis, and beacon regularity for high confidence.
Tool: ja3 CLI or Zeek's ja3 plugin compute these automatically from PCAP. Free database at ja3er.com and commercial threat intel feeds correlate known signatures.
Confirming Cobalt Strike C2 using four independent signals even though all traffic is HTTPS-encrypted — no decryption required.
# Signal 1: JA3 fingerprint matches known Cobalt Strike default profile JA3: 51c64c77e60f3980eea90869b68c58a8 = Cobalt Strike default # Signal 2: TLS certificate self-signed with default Cobalt Strike subject fields Subject: CN=Major Cobalt Strike, O=cobaltstrike, C=Earth (CS default template) Valid: 2020-01-01 to 2040-01-01 (20-year validity = self-signed, not CA-issued) # Signal 3: 300.000-second beacon interval (machine precision) 847 connections, interval mean: 300.001s, stdev: 0.003s (human: stdev ~minutes) # Signal 4: Packet size distribution matches CS heartbeat pattern Outbound packets: 98% are 220-280 bytes (small beacon check-in packets) Inbound packets: 3% are 1400-1500 bytes (task delivery from C2 server) # All four signals → Cobalt Strike C2, high confidence, no decryption required
Network-Only Investigation — Endpoint Evidence Destroyed
Situation: Security team discovers CORP-WS-044 has been wiped — attacker ran DBAN equivalent before disconnecting. Windows event logs: empty. Malware binaries: gone. The endpoint provides no forensic evidence. However, a passive network TAP has been collecting full PCAP on the core switch for 72 hours.
PCAP extraction — Initial access (09:23): HTTP GET request from 10.0.1.55 to malicious-site.xyz for payload.exe — 2.4 MB executable downloaded and saved (Wireshark Export Objects confirms filename). Hash of extracted executable: submitted to VirusTotal — 54/72 detections, Cobalt Strike loader. Initial access vector confirmed: drive-by download.
C2 identification (09:26–04:01): HTTPS connections from 10.0.1.55 to 185.220.101.45:443 beginning at 09:26:18. JA3 fingerprint: Cobalt Strike default. TLS certificate: self-signed with Cobalt Strike default subject fields. Beacon interval: 300 seconds, standard deviation 0.003 seconds. Total dwell time from PCAP: 18 hours 34 minutes 45 seconds — measured to the second from first to last beacon.
Lateral movement mapping (02:14–02:18): NetFlow shows CORP-WS-044 connecting to 9 internal hosts on SMB/445. Five succeeded (CORP-WS-021, WS-033, SRV-01, SRV-03, DC-01). Four failed (timeout — hosts were offline or blocked). The 9-host sweep completed in 4 minutes 12 seconds — automated tool, not manual.
Exfiltration quantification (03:14–03:44): Full PCAP captures 6.9 GB of HTTP POST uploads to 185.220.101.45 over 30 minutes. Wireshark Export Objects extracts: employees.csv (2.1 MB), financials.xlsx (4.8 MB), and 14 other files totalling 6.9 GB. Complete list of exfiltrated files recovered from PCAP despite endpoint wipe. Legal counsel receives definitive file inventory for breach notification assessment.
Outcome: Despite the attacker successfully destroying all endpoint evidence, the 72-hour PCAP from the passive TAP provides a complete forensic record of every network action taken. The incident timeline, exfiltrated file inventory, attack tooling (Cobalt Strike), and lateral movement scope are all definitively established from network evidence alone. This is why passive TAPs at network chokepoints, with adequate PCAP retention, are non-negotiable infrastructure for advanced IR capability.
Core Concepts Summary
You've covered the theory. Now apply it hands-on in the simulated environment.
Start Lab — Network Forensics→← Return to all labs