DFIR

Introduction Zeek (previously called bro) is a useful tool that enables high-level PCAP analysis at the application layer. I have mostly been doing my packet capture analysis in Wireshark and while Wireshark is still my number one tool for PCAP analysis, Zeek was a great find for me.

Introduction PCAPs can greatly aid an investigation after an incident has occurred. However, PCAPs contain massive amounts of data that is difficult to parse and time is valuable, especially during live investigations.