Network forensics primarily involves which activity?

Network forensics focuses on data in transit and the behavior of the network during an incident. The primary activity is examining network traffic, transaction logs, and real-time monitoring using sniffers and tracing. By capturing packets, reviewing protocol details, and inspecting logs from network devices, you can reconstruct what happened, when it occurred, and how an intrusion or data transfer unfolded. Sniffers provide the raw data of the communications, while tracing helps map the path of the traffic and correlate events across devices, making it possible to identify sources, destinations, and timelines. Other activities you might see in related fields—such as extracting data from mobile devices, imaging hard drives, or analyzing email content—focus on data at rest on endpoints or specific content, not on the live network activity and in-motion data that network forensics examines. This network-centered view is what enables investigators to understand how threats moved through the environment and what was exposed.