Security incidents not only produce trace evidence on host systems, but also leave traces throughout the devices and traffic flows within a network. The ability to analyze this trace evidence will allow incident response analysts to have a better understanding of what type of incident they are investigating, as well as potential actions that can be taken. Tools such as Wireshark and CapAnalysis afford analysts the ability to rip apart network traffic and individual packets to discover a wealth of information. Log analysis, either conducted manually or using tools such as the ELK Stack, can also provide analysts with a way to determine what log entries indicate compromise. This trace evidence, taken in conjunction with evidence obtained from potentially compromised websites, goes a long way in allowing analysts to reconstruct the events of an incident.