Network forensics

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Contents  [hide] 1 Open Source Network Forensics 2 Commercial Network Forensics 2.1 Deep-Analysis Systems 2.2 Flow-Based Systems 2.3 Hybrid Systems 3 Tips and Tricks 4 See also

Open Source Network Forensics

• Wireshark
• Kismet
• Snort
• Argus
• OSSEC
• NetworkMiner is an open source Network Forensics Tool available at SourceForge
• Xplico is an Internet/IP Traffic Decoder (NFAT). Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...
• DataEcho
• ntop
• Chaosreader is a session reconstruction tool (supports both live or captured network traffic)
• NetFSE is a web-based search and analysis application for high-volume network data available at NetFSE.org

Commercial Network Forensics

Deep-Analysis Systems

• WildPackets OmniPeek [1] [2]
• E-Detective [3] [4]
• Code Green Networks Content Inspection Appliance - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
• NETRESEC NetworkMiner Professional (portable network forensic analysis tool for Windows)
• NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics NetWitness
• Network Instruments [5]
• NIKSUN's NetDetector
• PacketMotion [6]
• Sandstorm's NetIntercept - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
• Mera Systems NetBeholder
• InfoWatch Traffic Monitor
• MFI Soft SORMovich (in Russian)
• Solera Networks - Provider of full packet capture network forensics appliances Solera Networks

Flow-Based Systems

• Arbor Networks
• GraniteEdge Networks
• Lancope http://www.lancope.com/
• Mantaro Product Development Services http://www.mantaro.com/products/MNIS/index.htm
• Mazu Networks http://www.mazunetworks.com/

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

• Q1 Labs http://www.q1labs.com/

Tips and Tricks

• The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also

• Wireless forensics
• SSL forensics

• IP geolocation
• Tools:Network Forensics
• Tools:Logfile Analysis