Which type of forensics examines network activity to determine if an intrusion occurred or if an untested patch was installed?

Network forensics focuses on evidence collected from the network to reconstruct what happened during an incident. It involves analyzing traffic captures, and logs from routers, switches, firewalls, proxies, and security sensors to see if a intrusion occurred and how it unfolded. By examining packets, connection patterns, timing, and data flows, you can detect unauthorized access, lateral movement, or data exfiltration, and you can also infer whether a patch or configuration change was applied by observing shifts in network behavior after deployment. This type of forensics is specifically about network activity, unlike memory forensics which looks at RAM contents to find running processes and memory-resident artifacts, file forensics which examines stored files and metadata on storage devices, or cloud forensics which investigates data and events in cloud environments.