recently I've been struggling with the subject of "detection network forensic investigations". The point is for an attacker to recognize when an environment is being monitored. Clues for the attacker are, for example, runtime errors that should indicate monitoring. I have already examined the recording technique (SPAN, TAP, sniffing) and unfortunately I cannot imagine how an attacker in the LAN can raise suspicions of a forensic examination. I also looked at it with Netflow without success. Do you have any ideas on the subject? a literature that can possibly explain the process better to me? Thanks for your support.