In network forensic, it is important to find appropriate tools necessary to find sample, seal, and dissect the evidence acquired. Evidence could be acquired through means like pcap file.
Flow analysis is used to identify pattern in the traffic, activity, or to find data in the operating system. One of the example to find out is by using the command netstat -an in the command prompt, it will show the list of active connection from the local address.

Wireshark is used as one of the tools for flow analysis. This tool is available for both windows and kali linux, both operating system are capable to use this tool to read the packet traffic in the operating system. By using wireshark, we can clearly see both source and destination address, as well as the information. Each details of the packet captured can be seen. Tshark is also a similar tool to wireshark, the only difference is wireshark use GUI while tshark use cli to capture the traffic.
There are also other available tools for flow analysis:
– tcpflow
– pcapcat, discontinued
– tcpxtract
Several flow analysis techniques are:
– list conversation and flows
– export a flow
– file and data craving

In file carving knowing the file extension is important, in every file, whether it is png or gif, they all contain data that can be deciphered by the hexadecimal.
DHCP is a protocol that helps to provide IP address that will connect you to the network. The IP address provided by the protocol will give you the information of expiration, the expiration will be carried out after several hours or minutes after not using the device. The expiration time will differ from network to network, some will have hours, some will have minutes when device is turned off. This information will be important to proof whether or not the user is a suspect or not, by knowing if there is an attack within the time they usage of the IP address.

Some tools to analyze higher layer:
– oftcat
– smtpdump
– findsmptpinfo.py
– networkminer