Network forensics refers to investigations that obtain and analyze information about a network or network events. It is a specialized category within the more general field of digital forensics, which applies to all kinds of IT data investigations. Typically, network forensics refers to the specific network analysis that follows security attacks or other types of cybercrimes.

Network forensics methods vary widely. Some investigations monitor all traffic on a network, while others use more specific and targeted observations. An easy way to to understand some types of network forensics is by comparing them to law enforcement vehicle checkpoints, where network forensics investigators may analyze all of the traffic going through a certain point of a network. Other kinds of network forensics may involve the broader capture and storage of network information. Some experts separate network forensics into two categories based on either of the following methodologies: a catch-it-as-you-can or stop-look-listen method that treats a large amount of data with a cursory type of routine inspection.