So far, we have worked primarily on the network packets that are acquired through network sniffing and monitoring. However, there are situations where packet analysis itself may not be enough, and we are required to fetch inputs from logs. On a typical network, logs can be present anywhere and everywhere. Consider that, when you are browsing the internet, you are leaving behind logs on your system, network switch, router, primary DNS, ISP, proxy servers, server of the requested resource, and in many other places that you may not typically imagine. In this chapter, we will work with a variety of log types and will gather inputs to aid our network forensics exercise.

Throughout this chapter, we will cover the following key topics:

• Network intrusions and footprints
• Case study—defaced servers

However, before moving further, let's understand the need for log analysis and its use in a network forensics scenario by analyzing the ssh_cap.pcap file in the next section.