Analysis

Once the Examination phase has extracted the potentially relevant pieces of data, the digital forensic examiner then analyzes the data in light of any other relevant data obtained. For example, if the digital forensic analyst has discovered that a compromised host has on open connection to an external IP address, they would then correlate that information with an analysis of the packet capture taken from the network. Using the IP address as a starting point, the analyst would be able to isolate the particular traffic. From here, the analyst may be able to determine that the compromised host is sending out a beacon to a C2 server. From here, using additional sources, the analyst may be able to determine what the particular attack vector is tied with that IP address.