Network Forensics Services Raleigh NC

What Network Forensics Actually Proves

Network forensics is the discipline of collecting and analyzing network traffic and infrastructure logs to reconstruct events. Unlike disk forensics, which gives you a snapshot of a single machine at a single moment, network forensics tells you what moved, when it moved, and where it went. That distinction matters in litigation and in incident response, because most of the questions a plaintiff's attorney, a regulator, or a board will ask are network questions, not disk questions.

Consider a common scenario. An employee leaves the firm and starts a competing practice. The partners suspect client files walked out the door. A disk image of the former employee's workstation might show a folder was opened. It cannot, on its own, prove that 18 GB of data moved from the file server to a personal cloud drive on a Tuesday afternoon. Network forensics can. Proxy logs record the destination domain. Firewall logs record byte counts. DNS logs record the lookups that preceded the upload. EDR telemetry ties the process to the user session. Stitched together, those sources produce a timeline that a jury can follow.

Network forensics proves five kinds of questions reliably:

• What happened. A sequence of events, with timestamps and source-destination pairs, reconstructed from multiple independent log sources.
• When it happened. Precise, correlated timestamps across systems, normalized to a single timezone, with clock-skew documented.
• What moved. Byte counts, file indicators where application-layer logging exists, and evidence of encrypted tunnels when payload inspection is not available.
• Where it went. Destination IPs, domains, ASN ownership, geolocation, and patterns of outbound traffic that distinguish normal business from exfiltration.
• Who did it. User attribution through authentication logs, session cookies, workstation ownership, MAC-to-IP bindings, and EDR telemetry that ties traffic to a specific process on a specific machine logged in as a specific user.

What network forensics typically cannot prove on its own is intent. For that, investigators pair network evidence with email forensics, chat logs, HR records, and other contextual sources. A well-scoped engagement makes the boundary between fact and inference explicit in the final report.

When You Need Network Forensics

Petronella Technology Group is engaged on six recurring patterns. They overlap more than they differ, and most real incidents touch three or four of these at once.

External breach investigation

An attacker got in. You need to know how, when, what they touched, and whether they are still there. Network forensics is the fastest path to those answers. Firewall logs narrow the initial foothold window to minutes. Proxy and DNS logs reveal command-and-control beaconing. NetFlow pins lateral movement between internal subnets. Correlated with endpoint telemetry, the output is a defensible breach timeline you can hand to regulators, cyber insurance carriers, and outside counsel. For the broader response playbook, see our incident response guide.

Insider threat and departing employee

A sales lead joins a competitor and the client book follows. A finance employee is terminated and records are wiped. A developer sets up AWS accounts the company did not authorize. Network forensics identifies the exfiltration channel, quantifies what moved, and dates the activity. In employment litigation, that evidence usually drives settlement.

Data exfiltration and trade secret theft

Exfiltration today rarely looks like a USB drive. It looks like a personal Dropbox sync, a Gmail draft folder, a compressed archive uploaded to Mega, or a git push to a personal repository. Each channel leaves a different evidentiary trail, and the defensible ones are almost always in network and cloud API logs, not on the endpoint itself.

Ransomware root-cause and dwell-time analysis

Cyber insurance carriers want a ransomware report that answers two questions: how did they get in, and how long were they inside. Neither question is answered by the ransom note. Both require network forensics. We reconstruct initial access, credential theft, lateral movement, staging, and encryption in a forensic timeline that stands up to carrier review. For immediate recovery operations, see ransomware recovery.

Business email compromise network analysis

BEC cases start in the mailbox but move quickly into the network. Was the attacker's session IP logged? Did the attacker create inbox rules that auto-forwarded invoices externally? Did they pivot from Microsoft 365 to SharePoint, OneDrive, or Teams? Were any internal lateral movements attempted from the compromised account? Unified Audit Logs, sign-in logs, and Exchange message traces, combined with firewall logs at the network edge, answer those questions.

HIPAA breach quantification

A HIPAA breach above 500 records triggers notification to Health and Human Services, state attorneys general, and affected individuals. The number of affected individuals is not guessed - it is defended. Network forensics quantifies that number. File access logs, database query logs, egress byte counts, and patient-record lookups give a defensible lower bound on exposure. That number controls the notification scope and the regulatory exposure.

Our Process: Engagement to Final Report

Most matters follow the same six-phase process. We scope tightly, preserve early, and document everything. The sequence below is what you can expect from the moment you pick up the phone to the moment you receive a signed expert report.

1. Initial consult and conflict check

A 30-minute consult, typically with outside counsel on the call, to scope the matter. We confirm no conflicts exist, discuss the likely evidentiary posture, and outline the engagement structure. Most civil matters engage us through the law firm under attorney-client privilege and work-product protection.

2. Engagement letter and preservation order

A short engagement letter defines scope, fee structure, deliverables, and confidentiality. In parallel, counsel issues a litigation hold to the client. We provide preservation language for SIEM retention, firewall log rotation, cloud audit log export, and EDR data. Evidence destruction from ordinary log rotation is the most common avoidable mistake in network forensics matters.

3. Evidence preservation

We begin collection within 24 to 72 hours, depending on urgency. Full packet capture at strategic points on the network. Export of SIEM, firewall, IDS, DNS, proxy, and EDR logs with hash verification. Cloud audit logs pulled from AWS CloudTrail, Azure Sign-In and Unified Audit, and GCP Cloud Audit Logs. Every artifact is SHA-256 hashed on collection and again in the evidence vault, with both hashes recorded in the chain of custody.

4. Log correlation and timeline construction

Raw evidence is normalized into a unified timeline. Timestamps are converted to UTC, then presented in the jurisdiction's local timezone. Clock skew between systems is measured and documented. Events from different sources are correlated by IP, user, session, and process. The result is a single master timeline that can be filtered to any question counsel asks.

5. Analysis and hypothesis testing

Findings are developed by testing hypotheses against the evidence, not by pattern-matching to a preferred narrative. Each significant finding in the report is supported by at least two independent evidentiary sources where possible. Where inference is necessary, it is labeled as such.

6. Expert report and testimony preparation

The final report is written to the audience. For insurance and regulators, a declarative chronology with numbered findings. For litigation, an expert report meeting jurisdictional requirements, with exhibits, methodology section, and qualifications. For testimony, we prepare for cross-examination before deposition or trial, working through likely challenges with counsel.

Evidence Types We Collect

Network forensics is a multi-source discipline. No single log type answers every question. A credible investigation pulls from at least three of the following and correlates them.

NetFlow, sFlow, IPFIX

Flow data is the connective tissue of a network investigation. Every conversation between two IP addresses is recorded with start time, end time, byte count, packet count, and port. Flow records are compact, most networks retain them for 30 to 90 days, and they provide a reliable lower bound on what moved between any two hosts. When full packet capture is not available, flow data is often the decisive evidence.

Full packet capture (PCAP)

Where deployed, full packet capture preserves the payload of every packet crossing a collection point. For active investigations, we can deploy temporary capture appliances at network choke points. For historical matters, we work with whatever PCAP retention the client already has. PCAP is the gold standard for proving the content of unencrypted traffic and for extracting indicators from encrypted traffic (TLS SNI, JA3 fingerprints, timing patterns).

Firewall and IDS logs

Palo Alto, Fortinet, Cisco Firepower, Check Point, SonicWall, pfSense, and similar platforms all emit connection logs and threat logs. These become the spine of the inbound and outbound timeline. IDS and IPS alerts add detection context - a signature match on a known C2 domain, a credential-stuffing pattern, a file-transfer heuristic.

DNS query logs

DNS is the most under-appreciated log source in most environments. Every connection to a domain begins with a lookup. DNS logs reveal beaconing patterns, domain generation algorithms, and attempted connections to sinkholed or seized infrastructure. Sysmon event ID 22, BIND query logs, Active Directory DNS logs, and Umbrella / Cloudflare Gateway logs are all common sources.

Proxy logs

Web proxy logs (Zscaler, Netskope, Squid, Blue Coat) record every HTTP and HTTPS request with URL, user attribution, and byte counts. In data exfiltration matters, proxy logs are frequently the single most probative source - they tie a specific user on a specific machine to a specific upload to a specific destination.

EDR and endpoint telemetry

CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black, and similar platforms bridge the gap between network events and the process that caused them. Which process opened the outbound connection, which parent process launched it, which user was logged in, what file was written to disk immediately before the upload.

Cloud API and audit logs

Most of the modern attack surface lives in cloud services. AWS CloudTrail records every API call. Azure Unified Audit Log and Sign-In Logs cover Microsoft 365 and Entra ID. Google Workspace Admin Audit and GCP Cloud Audit Logs cover the equivalent. These logs are authoritative for impossible-travel detection, privilege escalation, and SaaS data exfiltration. When a BEC actor creates an inbox rule, it is logged. When an IAM role gets a new trust policy, it is logged. We pull, parse, and correlate these records as a standard part of every cloud-involved engagement.

SIEM aggregation

Where the client runs a SIEM (Splunk, Sentinel, Elastic, Graylog), we export the relevant indexes rather than rebuild them. This accelerates the investigation and preserves parsed fields that are hard to recover from raw data.

Chain of Custody for Network Evidence

Evidence that cannot be authenticated cannot be used. Every artifact Petronella Technology Group collects is treated as potential trial evidence from the moment of acquisition, whether or not litigation is contemplated. The discipline is the same either way, and retrofitting chain of custody to evidence that was collected casually almost never works.

Federal Rule of Evidence 902(14)

FRE 902(14), effective December 2017, permits self-authentication of electronic records copied from a device or system when the copy is identified by a hash value and accompanied by a certification from a qualified person. For network forensics, this rule is a significant efficiency: properly hashed and certified exports do not require a custodian of records to appear at trial simply to authenticate them. We collect with 902(14) in mind by default.

SHA-256 hash verification

Every file artifact - PCAP, log export, disk image where applicable, cloud audit log export - is SHA-256 hashed at the point of collection. The hash is recorded in the chain of custody document with the date, time, source system, and collector. The artifact is transferred to the evidence vault and hashed again on arrival; matching hashes prove no modification occurred in transit. At analysis time, working copies are made from the vault, and the vault original is never touched. Hash verification is repeated before each report exhibit is finalized.

Write-blockers where applicable

Network evidence is usually exported from live systems, so traditional hardware write-blockers apply less often than in disk forensics. When physical storage is seized (an exfiltration staging server, a rogue access point, a specific laptop for network artifact extraction), hardware write-blockers are used. Any deviation is documented.

Evidence vault and retention

The evidence vault is a segregated, encrypted, access-controlled system separate from our production infrastructure. Every access is logged. Retention is governed by the engagement letter, typically seven years from engagement close, with longer holds for active litigation. Destruction, when authorized, is certified.

Documentation discipline

The chain of custody document lives with the case, not in an email thread. Each transfer, each hash check, each analyst who accessed the evidence, each tool run - all recorded contemporaneously. This is the difference between evidence that survives a Daubert challenge and evidence that does not. A related set of patterns for server-level artifact handling is covered on our server and network forensics deep-dive page.

Expert Witness Testimony

A good investigation only matters if the findings hold up when challenged. Craig Petronella holds Digital Forensics Examiner credential number 604180, plus CCNA, CWNE, and CMMC-RP. That credential stack covers the network engineering foundation (CCNA, CWNE), the forensic discipline (DFE), and the compliance framework (CMMC-RP) that litigation in defense, healthcare, and financial services frequently requires. More on the expert witness service is on our digital forensics expert witness page.

Written expert reports

Reports are structured for the venue. Rule 26 disclosures in federal civil matters. Expert reports in North Carolina state court. Insurance-carrier forensic reports. Regulatory submissions. Each report includes qualifications, methodology, evidence inventory with hashes, timeline, findings with supporting exhibits, and, where appropriate, opinions stated within the scope of the examiner's expertise.

Deposition preparation

Before deposition, we work through the report with counsel line by line. We identify the weakest inferences, the areas where opposing experts are likely to push, and the exhibits that will require the clearest demonstratives at trial. Mock cross-examination is offered where the case profile warrants it.

Trial testimony

At trial, clear communication wins. Jurors do not understand NetFlow records by default. They do understand a chart that shows an employee's machine uploading 2 gigabytes of files to a personal Dropbox account at 9:47 p.m. on the night before they submitted their resignation. Demonstratives are built to convert raw evidence into testimony a jury can act on, without overstating what the data shows.

Cross-examination preparedness

Every credible expert expects their methodology to be attacked. Hash verification, tool validation, alternative explanations, chain of custody gaps, analyst qualifications - these are the standard cross lines. We prepare to answer them in writing during the report phase, so that the answers at trial are calm, specific, and documented.

Industry Coverage

Certain industries come with baked-in evidentiary and regulatory requirements. A network forensics engagement in these sectors needs to do double duty: prove the facts of the matter, and satisfy the industry's reporting obligations at the same time.

CMMC and DFARS contractors

Defense industrial base contractors operate under DFARS 252.204-7012 and, progressively, CMMC 2.0. A cyber incident involving controlled unclassified information requires notification to DoD within 72 hours and a damage assessment that is explicitly evidentiary. Petronella Technology Group holds CMMC-RP credentials across four team members (Craig Petronella, Blake Rea, Justin Summers, Jonathan Wood). Investigations are scoped to support DFARS cyber incident reporting and the later CMMC assessment cycle in parallel.

HIPAA covered entities and business associates

A HIPAA breach investigation is, at its core, a quantification exercise. How many records were exposed, which individuals, what types of PHI, over what time window. Network forensics - database query logs, file access logs, egress byte counts, EHR audit trails - produces the defensible number that controls notification scope under 45 CFR 164.404.

Financial services

Banks, credit unions, RIAs, and fintechs live under GLBA, the FTC Safeguards Rule, FFIEC guidance, and a growing list of state-level notification laws (New York DFS 500, Massachusetts 201 CMR 17, California CCPA/CPRA). Our investigations produce the evidence packages these frameworks require: timeline, data-at-risk enumeration, containment actions, and control-failure analysis.

Law firms

Law firms sit in an uncomfortable position: they hold highly sensitive client data and they are increasingly targeted by both criminal actors and nation-state groups. Firm breaches also trigger ethics obligations under ABA Model Rules 1.1 and 1.6, and state analogs. Investigations are scoped to preserve privilege, satisfy ethical notification duties, and support client-protective communication. Firms handling sensitive matters for clients in the defense, healthcare, or financial verticals frequently pair our network forensics with our broader digital forensics services.

Professional services and light industrial

Manufacturing, logistics, engineering, and consulting firms typically lack dedicated security staff and are frequent targets of business email compromise and ransomware. Investigations here are often the first forensic engagement the company has ever run. We scope accordingly, favor straightforward reporting, and hand off a playbook the internal IT team can use next time.

Network Forensics vs. Other Forensic Disciplines

Digital forensics is not one job. It is at least six, and any serious matter touches several. Here is where network forensics fits, and where we refer out to specialists.

Where we lead

• Network traffic analysis. PCAP, NetFlow, sFlow, IPFIX. Capture, indexing, protocol reconstruction.
• Log forensics. SIEM, firewall, IDS, proxy, DNS, authentication, VPN.
• Cloud forensics. AWS CloudTrail, Azure Sign-In and Unified Audit, GCP audit logs, Microsoft 365 and Google Workspace audit.
• Server-side incident response. Windows Event Logs, Linux syslog and auditd, memory capture on running servers, live response.
• Breach timeline and damage assessment. Multi-source correlation, quantification, and written report.
• Expert witness testimony. Written reports and live testimony in network-evidence matters.

These are core competencies. They run end-to-end in house, from preservation through testimony. See data breach forensics for the broader parent service.

Where we refer out

• Mobile device imaging. Cellebrite, MSAB XRY, Magnet AXIOM Mobile. We do not operate these tools in house.
• Workstation disk imaging at scale. Encase, FTK, X-Ways. Individual server-level artifact extraction we handle; full fleet imaging we route to partners.
• Private investigator field work. Licensed PI services, process service, physical surveillance - not services we offer.
• E-discovery at scale. Relativity and Everlaw hosted review platforms. We produce forensic evidence; e-discovery vendors host and review it.

Scope of Our Work and Partner Network

The practical upshot is that counsel does not need to assemble a forensic panel piece by piece. A single engagement with Petronella Technology Group covers the network and server evidence, and the partner coordination happens behind a single point of contact. Billing can run through the firm or split by vendor, depending on the client's preference.

We are explicit about what we do and do not do so that scope is never ambiguous. That clarity is part of what keeps our reports defensible and our testimony clean.

Prevention pairs with forensics. Clients who want to baseline their environment before an incident often start with a security risk self-assessment or move straight to a CMMC compliance package. For organizations facing cyber-insurance renewal, the evolving carrier posture covered in stringent cyber insurance rules tends to drive the next 90 days of control work.

Frequently Asked Questions

Ready to move forward?

Petronella Technology Group has been serving businesses, law firms, and regulated industries from Raleigh, North Carolina since 2002, with an A+ rating from the Better Business Bureau since 2003. Our team holds CMMC-RP credentials across four examiners, and network forensic engagements are led by Craig Petronella (DFE #604180, CCNA, CWNE, CMMC-RP).

If you have a matter where network evidence might be decisive - a suspected breach, a departing employee, a ransomware event, a HIPAA exposure, a BEC with lateral movement - a short consult is the fastest way to scope the work.

Request a network forensics consultation

Active breach emergencies: (919) 348-4912