ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Network forensics" and "File:ABCOpen.JPG"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Flow-Based Systems)
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
There are both open source and proprietary network forensics systems available.
== Open Source Network Forensics ==
* [[Snort]]
* [[OSSEC]]
== Commercial Network Forensics ==
===Deep-Analysis Systems===
* Code Green Networks [ Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
* ManTech International Corporation [ NetWitness]
* NIKSUN's [[NetDetector]]
* PacketMotion []
* Sandstorm's [ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
===Flow-Based Systems===
* Arbor Networks
* GraniteEdge Networks
* Lancope
* Mazu Networks
===Hybrid Systems===
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
* Q1 Labs
== Tips and Tricks ==
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

Revision as of 03:36, 8 December 2008