Difference between pages "Network forensics" and "Virtual Hard Disk (VHD)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Deep-Analysis Systems)
 
(Snapshots)
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
{{expand}}
  
There are both open source and proprietary network forensics systems available.  
+
The Virtual Hard Disk (VHD) commonly uses the .vhd extension.
  
== Open Source Network Forensics ==
+
This format is used to store virtual disk images by:
 +
* Microsoft Virtual PC
 +
* Microsoft Virtual Server
 +
* Microsoft Hyper-V Server
  
* [[Wireshark]]
+
== Image types ==
* [[Kismet]]
+
There are multiple types of Virtual Hard Disk (VHD) images:
* [[Snort]]
+
* Fixed-size hard disk image; the image contains all data
* [[Argus]]
+
* Dynamic-size (or sparse) hard disk image; the image contains used data only
* [[OSSEC]]
+
* Differential (or differencing, or delta) hard disk image; the image contains changes relative to its parent image
* [[NetworkMiner]] is [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner an open source Network Forensics Tool available at SourceForge]
+
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
* [[DataEcho]]
+
* [[ntop]]
+
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
+
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
+
  
== Commercial Network Forensics ==
+
== Snapshots ==
 +
Hyper-V has functionality to create snapshots.
  
===Deep-Analysis Systems===
+
These snapshots are stored in Snapshot Differencing Disk (AVHD) files which commonly uses the .avhd extension.
* WildPackets [[OmniPeek]] [http://www.wildpackets.com/solutions/it_solutions/network_forensics] [http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer/forensics_search]
+
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* NETRESEC [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional (portable network forensic analysis tool for Windows)]
+
* NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
* Mera Systems [http://netbeholder.com/ NetBeholder]
+
* [http://www.infowatch.com InfoWatch Traffic Monitor]
+
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
+
* Solera Networks - Provider of full packet capture network forensics appliances [http://www.soleranetworks.com/ Solera Networks]
+
  
===Flow-Based Systems===
+
The snapshot can be interdependent on one-another, because they are differential images of the previous snapshot.
* Arbor Networks
+
* GraniteEdge Networks
+
* Lancope http://www.lancope.com/
+
* Mazu Networks http://www.mazunetworks.com/
+
  
===Hybrid Systems===
+
= Windows integration =
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
"Disk Management" in (at least) Windows 7 support attaching and creating Fixed and Dynamic VHD image files.
* Q1 Labs  http://www.q1labs.com/
+
  
== Tips and Tricks ==
+
== See Also ==
 +
* [[Disk Images]]
  
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
== External Links ==
  
== See also ==
+
* [http://en.wikipedia.org/wiki/VHD_(file_format) VHD (file format)], by Wikipedia
* [[Wireless forensics]]
+
* [http://technet.microsoft.com/en-us/library/bb676673.aspx Virtual Hard Disk Image Format Specification], by Microsoft, October 2006
* [[SSL forensics]]
+
* [http://code.google.com/p/libvhdi/downloads/detail?name=Virtual%20Hard%20Disk%20%28VHD%29%20image%20format.pdf Virtual Hard Disk (VHD) image format], by the [[libvhdi|libvhdi project]], September 2012
  
* [[IP geolocation]]
+
=== Snapshots ===
* [[Tools:Network Forensics]]
+
* [http://social.technet.microsoft.com/wiki/contents/articles/670.hyper-v-concepts-snapshots.aspx Hyper-V Concepts - Snapshots]
* [[Tools:Logfile Analysis]]
+
* [http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/03/11/virtual-machine-snapshotting-under-hyper-v.aspx Virtual Machine Snapshotting under Hyper-V]
 +
* [http://www.msserveradmin.com/hyper-v-snapshot-files-avhd-and-vhd-what-the/ Hyper-V SnapShot Files – AVHD and VHD? What The ?]
 +
* [http://social.technet.microsoft.com/wiki/contents/articles/6257.manually-merge-avhd-to-vhd-in-hyper-v.aspx Manually Merge .avhd to .vhd in Hyper-V]
  
[[Category:Network Forensics]]
+
[[Category:File Formats]]

Revision as of 13:19, 19 September 2012

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Virtual Hard Disk (VHD) commonly uses the .vhd extension.

This format is used to store virtual disk images by:

  • Microsoft Virtual PC
  • Microsoft Virtual Server
  • Microsoft Hyper-V Server

Contents

Image types

There are multiple types of Virtual Hard Disk (VHD) images:

  • Fixed-size hard disk image; the image contains all data
  • Dynamic-size (or sparse) hard disk image; the image contains used data only
  • Differential (or differencing, or delta) hard disk image; the image contains changes relative to its parent image

Snapshots

Hyper-V has functionality to create snapshots.

These snapshots are stored in Snapshot Differencing Disk (AVHD) files which commonly uses the .avhd extension.

The snapshot can be interdependent on one-another, because they are differential images of the previous snapshot.

Windows integration

"Disk Management" in (at least) Windows 7 support attaching and creating Fixed and Dynamic VHD image files.

See Also

External Links

Snapshots

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Network_forensics&oldid=11756"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox