The first thing I do is establish a timeline. If I have an EDR alert or a SIEM correlation that triggered the suspicion, I anchor on the timestamp and affected host. From there I pull NetFlow or firewall logs first, not full packet capture, because NetFlow is retention-friendly and gives me the connection graph: which hosts the suspected host communicated with, on which ports, and how much data moved. I am looking for patterns inconsistent with normal behavior: a workstation making SMB connections to 20 other workstations it has never talked to, which is likely Pass-the-Hash or SMB worm propagation; LDAP or Kerberos queries to a domain controller at unusual times or volume, suggesting credential enumeration; connections to internal hosts on ports like WinRM 5985 or RDP 3389 from a non-admin source. Once I have a set of suspicious host pairs from NetFlow, I check whether I have full packet capture for those flows. If SPAN or TAP data is available via a tool like Zeek or Wireshark, I reconstruct the sessions. For SMB lateral movement I look at SMB command sequences in the capture: do I see net use, PsExec patterns, or IPC$ share access? For command-and-control that has gone internal, I look at beaconing: regular intervals of small outbound connections. Zeek's conn.log is excellent for this because it gives per-connection duration and byte counts, making periodic beaconing stand out. I also correlate DNS logs: lateral movement tools often query internal hostnames they should not know about. If I find a compromised host, I image it before isolating it when possible, because isolation can trigger attackers to destroy evidence.
Insider read
Really testing: Whether you have a structured, hypothesis-driven methodology for network forensics rather than a list of tools. The interviewer is assessing incident response maturity.
The tell: Weak candidates say 'I would run Wireshark and look for suspicious traffic.' Strong candidates describe starting with metadata like NetFlow before full PCAP, anchor to a timeline, name specific lateral movement indicators like SMB spray patterns and beaconing intervals, and mention evidence preservation before isolation.
Follow-up: Zeek and Wireshark give you different data. In what scenario would you reach for Wireshark over Zeek, and why?
Say thisNetwork forensics starts with connection metadata to build the map, then drops into full packet capture to answer the question the map raises. Reaching for PCAP first without that orientation is how you drown in noise.