Difference between pages "Bibliography" and "Network forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Disposal and Data Recovery)
 
(Open Source Network Forensics)
 
Line 1: Line 1:
=Disk Disposal and Data Recovery=
+
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
+
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
+
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
+
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
+
  
=Evidence Gathering=
+
There are both open source and proprietary network forensics systems available.
  
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
+
== Open Source Network Forensics ==
  
=Fake Information=
+
* [[Snort]]
 +
* [[OSSEC]]
 +
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...].
  
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
+
== Commercial Network Forensics ==
 +
===Deep-Analysis Systems===
 +
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
 +
* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
 +
* Network Instruments [http://www.networkinstruments.com/]
 +
* NIKSUN's [[NetDetector]]
 +
* PacketMotion [http://www.packetmotion.com/]
 +
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
  
=Other Papers=
+
===Flow-Based Systems===
 +
* Arbor Networks
 +
* GraniteEdge Networks http://www.graniteedgenetworks.com/
 +
* Lancope http://www.lancope.com/
 +
* Mazu Networks http://www.mazunetworks.com/
  
* [http://citeseer.ist.psu.edu/shanmugasundaram03automatic.html  Automatic Reassembly of Document Fragments via Context Based Statistical Models], Kulesh Shanmugasundaram and Nasir Memon.
+
===Hybrid Systems===
 +
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
 +
* Q1 Labs  http://www.q1labs.com/
  
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
+
== Tips and Tricks ==
 +
 
 +
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

Revision as of 08:59, 26 May 2008

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

  • Code Green Networks Content Inspection Appliance - Passive monitoring and mandatory proxy mode. Simple to us Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
  • ManTech International Corporation NetWitness
  • Network Instruments [1]
  • NIKSUN's NetDetector
  • PacketMotion [2]
  • Sandstorm's NetIntercept - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.