Network forensics captures and analyzes network traffic for incident investigation and evidence collection. Tools: Wireshark, tcpdump, Zeek/Bro, full packet capture (FPC) solutions.
PCAP files are the gold standard for network forensics. NetFlow provides summary data (less storage). Full packet capture requires massive storage but provides complete reconstruction. NSM (Network Security Monitoring) = continuous capture.