Packet Capture Forensics Lab

Overview

A structured packet capture investigation focused on analyzing network evidence to reconstruct activity and support an attribution conclusion.

Problem

A forensic scenario required identifying the likely source of threatening emails using captured network traffic and related artifacts.

My Role

I analyzed the packet capture, reviewed network sessions, investigated DNS and email-related traffic, extracted useful artifacts, and documented the evidence.

Tools Used

Process

• Review the packet capture for relevant protocols and hosts.
• Search for email, DNS, and webmail-related artifacts.
• Use Wireshark and tshark to filter traffic.
• Export useful evidence for review.
• Use NetworkMiner to inspect sessions and extracted artifacts.
• Document findings in a structured way.

Challenges

• Relevant evidence may not appear through obvious SMTP traffic.
• Webmail and indirect communication paths require broader analysis.
• It is important to separate evidence from assumptions.
• Clear documentation matters as much as finding the artifact.

Outcome

Created a structured investigation workflow using packet-level evidence, artifact review, and careful documentation to support a reasoned conclusion.

What I Learned

• Network forensics requires patience and repeatable methods.
• DNS and session evidence can be just as important as obvious email traffic.
• Good investigations separate facts, assumptions, and conclusions.
• Tools are strongest when used together rather than in isolation.

Future Improvements

• Add sanitized command examples.
• Add screenshots of filters and evidence views.
• Create a reusable investigation checklist.
• Publish a short technical writeup on packet investigation workflow.

Sanitized Screenshots / Artifacts