Network forensic is a legal search of evidence in network traffic. The same as the ‘Forensic’ in medical term, it is used to dissect the victim / party involved to search for involvement of a crime. The term is used for finding evidence, information, and detection.

We need Network Forensic for incident response. When there is a network attack, several questions need to be answered, such as, why, how, what, when, and where, to find the root of the cause to help better prevention in the future attack.

There are many source of evidence from the network that can be taken to account, such as:
– Email
– CCTV
– ISP Log
– Wifi usage history
– etc..

There are 2 investigation method, OSCAR and TAARA
– Obtain information, it is information gathering of the incident and the environment where it occurred.
– Strategize, strategizing from the information obtained and list the priorities.
– Collect evidence, it is legally obtained copy of evidence according to the law.
– Analyze, using the information and evidence available, list possible explanation and theories.
– Report, write down detailed explanations and facts for people to be able to understand.

– Trigger, what incident that trigger the investigation
– Acquire, identifying and collecting of evidence
– Analysis, make an explanation of the evidence obtained
– Report, made for the higher ups to make a plan and take measures based on the facts given
– Action, action recommended