Network forensics is a branch of digital forensics. That said; it is significantly different from conventional forensic investigations. It is necessary to highlight the differences so that things are a lot clearer in the network investigator's mind.

Unlike other areas of digital forensics, network forensic investigations deal with volatile and dynamic information. Disk or computer forensics primarily deals with data at rest. The simplified normal process is to identify the media that to be investigated, create and authenticate a forensic image, identify the different artifacts to be investigated, carry out an in-depth analysis, and follow it up with a report highlighting the findings. Usually, these can include deleted, misnamed, and hidden files and artifacts; registry entries; password-protected files; e-mail communications; carved data; and so on. However, all these represent the state of the system at the time of the collection and imaging. This is what we call a post-mortem investigation (this does not include live-memory forensics, which, as the name suggests, is very much alive).

Network forensics by its very nature is dynamic. In fact, it would not be possible to conduct a network forensic investigation if prior arrangements were not made to capture and store network traffic. It is not possible to analyze what transpired with the network flow without having a copy of it. This is similar to having a CCTV footage for a particular incident. In its absence, one can only surmise what happened based on other circumstantial evidence. When the actual footage is available, as long as the investigator knows what to look for, the complete incident can be reconstructed and it becomes a lot easier to identify the perpetrator.

Additionally, network forensics involves the analysis of logs. This can be a bit of art as well as science.

Usually various network devices, applications, operating systems in use, and other programmable and intelligent devices on the network generate logs. Logs are time-sequenced. They can be quite cryptic in nature and different devices will address the same event in different ways. Some operating systems will call a login action as a login; whereas, another device may call it a log on and a third may call it a user authentication event. The message content and syntax of logs are vendor-specific. It may also vary from application to application.

Disk forensics does not have these sorts of intricacies. While logs exist and do vary across applications and operating systems, the level of dependency on logs in the case of disk forensics is not as high as that of network forensics.

That said, all disk, network, and memory forensics go hand in hand. Most investigations may involve at least a few, if not all, of the disciplines of digital forensics in any case of a reasonable magnitude.

In fact, a case where disk forensics is not used in an investigation could be considered equivalent to a conventional case where CCTV evidence has been overlooked.