Knogin
[Developers]

Network Forensics

During a ransomware incident at a manufacturing firm, the network forensics examiner loads 72 hours of pre-event PCAP captures. Within minutes, the tool surfaces a pattern of low-volume DNS queries to algorithmically gen

Back to All Modules
Category: ForensicsLast Updated: Feb 5, 2026
forensicscomplianceblockchaingeospatial

Overview#

During a ransomware incident at a manufacturing firm, the network forensics examiner loads 72 hours of pre-event PCAP captures. Within minutes, the tool surfaces a pattern of low-volume DNS queries to algorithmically generated subdomains starting four days before encryption began. That beacon traffic, buried in millions of legitimate DNS requests, identifies the initial access channel, the C2 framework, and the approximate dwell time. The analysis takes hours instead of weeks and produces a court-ready evidence package alongside a set of Suricata rules to detect the same pattern on other networks.

Network Forensics provides packet capture analysis, protocol dissection, and traffic intelligence for law enforcement digital forensics units, incident response teams, CERTs/CSIRTs, military cyber commands, and financial institution security teams. The module handles over 200 network protocols with automated detection and deep packet inspection, letting investigators build cases from communications evidence without requiring specialist protocol expertise on every session type.

Open Standards#

  • STIX 2.1 / TAXII 2.1 (OASIS): Threat indicators extracted from packet captures are exported as STIX 2.1 bundles and ingested from remote TAXII 2.1 feeds, enabling interoperable IOC exchange with external threat-intelligence platforms.
  • MITRE ATT&CK: Detected malware behaviours, C2 patterns, and attacker techniques are classified against MITRE ATT&CK technique identifiers (T-numbers), supporting structured APT attribution and cross-investigation correlation.
  • PCAP / PCAPNG (libpcap capture file format): The module ingests standard PCAP and PCAPNG capture files produced by Wireshark, tcpdump, and compatible network taps as its primary evidence source.
  • Suricata EVE JSON: Alert output from Suricata IDS is ingested via the standardised EVE JSON log format, and detection rules produced from PCAP analysis are deployed back to live Suricata instances.
  • YARA: Extracted file payloads from packet captures are scanned against YARA rules for malware family identification and indicator matching.
  • MISP (Malware Information Sharing Platform) standard format: IOCs recovered from traffic analysis are enriched against and submitted to MISP instances using the MISP REST API v2.4 attribute model.
  • Sigma (open detection format): Network-derived detection logic is represented and exchanged as Sigma rules, allowing translation to multiple SIEM query languages for cross-platform deployment.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

  • PCAP Analysis: Automated protocol detection across 200+ protocols with deep packet inspection, payload extraction, encryption fingerprinting, and anomaly detection.
  • Session Reconstruction: Reassemble complete TCP conversations from fragmented packets, including HTTP browsing history, email messages, file transfers, VoIP calls, and remote desktop sessions.
  • Malware C2 Detection: Behavioural analysis engine identifying command-and-control communications through beacon analysis, domain generation algorithm detection, DNS tunneling recognition, and encrypted traffic pattern matching.
  • Traffic Intelligence: Interactive network timelines, GeoIP mapping, statistical analysis, top talker identification, and communication pattern visualisation.
  • Evidence Extraction: Automated file carving for 100+ file types, credential identification, metadata extraction, and cryptographic hashing for evidence integrity.
  • Court-Ready Reporting: Generate evidence reports with executive summaries, methodology documentation, chain of custody records, technical findings, and glossaries for non-technical audiences.
  • Team Collaboration: Real-time case sharing with role-based access, annotation tools, task assignment, and prosecutor-ready evidence portals.
  • Threat Intelligence Integration: Real-time threat feed matching, known C2 server identification, malware family classification, and APT group attribution. Integrates with MISP and YARA rules for automated indicator correlation.

Use Cases#

  • Cybercrime Investigation: Reconstruct ransomware attacks from initial access through data exfiltration, identifying attacker infrastructure, communication protocols, and stolen data for prosecution.
  • Dark Web Investigations: Analyse Tor traffic patterns, correlate marketplace activity timing, track cryptocurrency communications, and recover vendor identity evidence.
  • Insider Threat Detection: Compare baseline traffic patterns against incident-day activity, identify unauthorized data uploads, reconstruct transferred files, and confirm employee attribution.
  • Child Exploitation Cases: Identify peer-to-peer file sharing, match file hashes against known databases, recover content, and build court-admissible evidence packages.
  • APT Investigation: Detect advanced persistent threats through behavioural analysis, TLS fingerprinting, infrastructure mapping, and correlation with threat intelligence feeds.

Integration#

Integrates with device forensics, blockchain analytics, geospatial intelligence, and social network analysis tools within the Argus platform. Connects with MISP for IOC enrichment, YARA Engine for pattern-based detection on extracted payloads, CyberChef for data transformation, and Suricata IDS for live rule deployment. Supports PCAP, PCAPNG, and additional capture formats with export to standard formats for cross-tool analysis. Compliant with CJIS, GDPR, and digital evidence preservation standards.

Ready to Build?

Get started with our APIs or contact our integration team for support.