https://www.sans.org/reading-room/whitepapers/modeling/building-forensically-capable-network-infrastructure-37212