Network firewalls and intrusion detection and prevention devices or software are crucial parts of today's networks. However, security breaches still can and do happen. They can originate from malicious users of on-site devices or any other point in local or remote networks. Often, a single compromised host is a source of further and more devastating attacks. After a breach occurs, or there is a reasonable doubt that it occurred, it is important to perform forensic analysis. The analysis could potentially discover the type of the attack, how long it lasts, the range of affected hosts, the scale of the attack, or sometimes even the intruders. In this paper, we explore a network forensic analysis workflow, evidence collection and analysis steps. We present a common analysis tool and its usage and perform an example analysis based on actual packet captures and intrusion detection systems logs, following a successful security measures breach and host infection. The paper will present a realistic example of forensic analysis based on Snort alerts, and the rest of the investigation will be conducted with the help of Wireshark, with which we will find various useful information about the infected host.