Difference between revisions of "Network forensics"

From ForensicsWiki
Jump to: navigation, search
(Open Source Network Forensics)
Line 1: Line 1:
 
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
 
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
  
There are both open source and proprietary network forensics systems available.  
+
There are both open source and proprietary network forensics systems available.
 +
 
 +
== General ==
 +
 
 +
<!--
 +
 
 +
  PLEASE DO NOT ADD ENTRIES THAT DO NOT HAVE AN ARTICLE.
 +
 
 +
  Please keep these in alphabetical order.
 +
 
 +
  When updating any table, please update all tables as appropriate.
 +
 
 +
-->
 +
 
 +
{| class="wikitable sortable" style="width: auto; font-size: smaller"
 +
|-
 +
! System
 +
! [[software license|License]]
 +
! User Interface
 +
! Supported Platform
 +
! Supported Protocols
 +
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 +
|-
 +
| [[Argus]]
 +
| [[Open Source]]
 +
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
 +
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
 +
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
 +
|
 +
|-
 +
| [[Bontq]]
 +
| Proprietary, hosted. Available for free for [[open source]] projects
 +
| [[PHP]], [[Java (programming language)|Java]]
 +
| [[PostgreSQL]]
 +
| 2010
 +
|
 +
|-
 +
| [[Zoho Office Suite#Zoho BugTracker|Zoho BugTracker]]
 +
| [[Proprietary software|Proprietary]]
 +
| [[Java (programming language)|Java]]
 +
| [[MySQL]]
 +
| 2011
 +
|
 +
|- class="sortbottom"
 +
! System
 +
! [[software license|License]]
 +
! User Interface
 +
! Supported Platform
 +
! Supported Protocols
 +
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 +
|}
 +
 
  
 
== Open Source Network Forensics ==
 
== Open Source Network Forensics ==

Revision as of 21:59, 17 March 2013

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

General

System License User Interface Supported Platform Supported Protocols Refs
Argus Open Source Command Line /GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
Bontq Proprietary, hosted. Available for free for open source projects PHP, Java PostgreSQL 2010
Zoho BugTracker Proprietary Java MySQL 2011
System License User Interface Supported Platform Supported Protocols Refs


Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also