IDS/IPS Alerts (Snort/Suricata)

networkPerimeter SecurityNetwork CaptureSIEM / Log Aggregator

Location

IDS/IPS alert logs (Snort alert files, Suricata eve.json, SIEM-ingested alerts)

Description

Signature-based and anomaly-based intrusion detection alerts with rule SID, severity, source/destination IP and port, protocol, alert message, and reference to the triggering packet.

Forensic Value

IDS alerts provide immediate, high-confidence indicators when signature matches occur for known exploits, malware communication patterns, or policy violations. Suricata eve.json output includes the triggering rule details and associated flow metadata. Even in high-noise environments, filtering by severity and correlating with other artifacts narrows the focus. Alert timestamps establish the earliest detection of malicious activity, supporting timeline construction.

Tools Required

SuricataSnortSIEM (Splunk, Elastic)SquilSguil

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical