5.9.2. Other Data Sources

💡 First Principle: Not all investigation data comes from logs. Network captures, vulnerability reports, dashboards, and automated alert data all contribute to the investigative picture. Each data source provides a different perspective, and effective investigations combine multiple sources.

Protocol analyzers / Packet captures — tools like Wireshark capture full network traffic including packet contents. Provides the most detailed view of network communication but generates enormous volumes of data and may contain encrypted traffic that can't be inspected without decryption keys. Use packet captures when you need to reconstruct exactly what data was transferred during an incident — they're the forensic equivalent of a security camera recording.

Dashboards — centralized displays aggregating data from multiple sources. SIEM dashboards, network operations center (NOC) dashboards, and security operations center (SOC) dashboards provide at-a-glance visibility. Effective dashboards highlight anomalies against baselines rather than showing raw data, enabling analysts to spot problems quickly.

Vulnerability scans — reports from vulnerability assessment tools showing which systems have which weaknesses. Useful for determining whether a compromised system had known exploitable vulnerabilities at the time of the incident. Comparing scan results before and after an incident can reveal whether the attacker exploited a known vulnerability or a zero-day.

Automated reports — scheduled outputs from security tools: compliance reports, configuration audit reports, change detection reports. These establish what the environment looked like at specific points in time, which is valuable for determining when a change or compromise occurred.

Benchmarks — comparison of system configurations against known-good baselines (CIS Benchmarks, DISA STIGs). Useful for identifying deviations that may indicate compromise or misconfiguration. A system that suddenly fails benchmark checks it previously passed warrants investigation.

⚠️ Exam Trap: Packet captures provide the most detailed network data but are the most resource-intensive to capture and analyze. NetFlow provides metadata (who talked to whom) without content — much lighter but less detailed. Choose based on what the investigation needs: metadata for scope, full capture for evidence.