Which type of forensics can help you determine whether a system is truly under attack or a user has inadvertently installed an untested patch or custom program?

Network forensics examines the actual traffic to and from a system, using packet captures, flow data, and logs from firewalls, IDS/IPS, DNS, and routers. This gives visibility into whether there is active, malicious activity—such as unusual connection patterns, beaconing to a control server, lateral movement, or large, suspicious data transfers—that would indicate an attack. If a user accidentally installed an untested patch or a custom program, the network activity would more likely resemble normal update or application traffic and lack those intrusion-like indicators. In short, analyzing network activity is how you tell if the system is truly under attack versus simply running new software. Disk forensics focuses on files and artifacts on the host, which can reveal what was installed but not necessarily current attack behavior. Email forensics targets messages and attachments, not system-wide activity. Mobile forensics looks at data on mobile devices.