During an investigation, a security analyst discovers traffic going out to a command-and-control server. The analyst must find out if any data exfiltration has occurred. Which of the following would best help the analyst determine this?

Application logs record events and actions performed by software applications, including errors and usage statistics. While they can provide insight into application behavior and user interactions, they do not typically capture lower-level network traffic or data contents sent to external servers, making them insufficient for detecting data exfiltration.

Metadata provides information about data, such as its origin, format, and timestamps, but it does not include the actual content of data packets. While useful for contextual understanding, metadata alone does not reveal whether sensitive data has been transmitted to a command-and-control server, limiting its effectiveness in investigating data exfiltration.

Network logs track connections and traffic patterns, offering valuable information about network activity. However, they usually do not capture the actual payload of the data being sent, which is necessary to determine if sensitive information was exfiltrated. Therefore, network logs alone may not provide definitive evidence of data exfiltration.