Difference between pages "Upcoming events" and "Network forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Flow-Based Systems)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
There are both open source and proprietary network forensics systems available.
  
This listing is divided into three sections (described as follows):<br>
+
== Overview ==
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
<!--
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
  PLEASE DO NOT ADD ENTRIES THAT DO NOT HAVE AN ARTICLE.
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|CyberPatterns 2014
+
|Jan 03, 2014
+
|Jan 17, 2014
+
|http://tech.brookes.ac.uk/CyberPatterns2014/CFPCyberpatterns2014.pdf
+
|-
+
|12th International Conference on Applied Cryptography and Network Security
+
|Jan 10, 2014
+
|Mar 14, 2014
+
|http://acns2014.epfl.ch/callpapers.php
+
|-
+
|9th Annual Conference on Digital Forensics, Security and Law
+
|Jan 15, 2014
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|2nd ACM Workshop on Information Hiding and Multimedia Security
+
|Jan 17, 2014
+
|Mar 31, 2014
+
|http://www.ihmmsec.org/index.php/cfp
+
|-
+
|USENIX Annual Technical Conference
+
|Jan 28, 2014
+
|Apr 07, 2014
+
|https://www.usenix.org/conference/atc14/call-for-papers
+
|-
+
|Audio Engineering Society (AES) Conference on Audio Forensics
+
|Jan 31, 2014
+
|Mar 15, 2014
+
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
+
|-
+
|DFRWS - USA 2014
+
|Feb 13, 2014
+
|Apr 07, 2014
+
|http://dfrws.org/2014/cfp.shtml
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
  Please keep these in alphabetical order.
  
== Conferences ==
+
  When updating any table, please update all tables as appropriate.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
-->
! width="40%"|Title
+
 
! width="20%"|Date/Location
+
{| class="wikitable sortable" style="width: auto; font-size: smaller"
! width="40%"|Website
+
 
|-
 
|-
|IFIP WG 11.9 International Conference on Digital Forensics
+
! System
|Jan 08-10<br>Vienna, Austria
+
! [[software license|License]]
|http://www.ifip119.org/Conferences/
+
! User Interface
 +
! Supported Platform
 +
! Supported Protocols
 +
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 +
|
 +
|
 
|-
 
|-
|AAFS 66th Annual Scientific Meeting
+
| [[Argus]]
|Feb 17-22<br>Seattle, WA, USA
+
| [[Open Source]]
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
| Command Line, GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
 +
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
 +
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
 +
|
 +
|
 
|-
 
|-
|21st Network & Distributed System Security Symposium
+
| [[Chaosreader]]
|Feb 23-26<br>San Diego, CA, USA
+
| [[Open Source]]
|http://www.internetsociety.org/events/ndss-symposium
+
| Command Line, GUI
 +
| Solaris, RedHat, Windows
 +
| FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
 +
|
 +
|
 
|-
 
|-
|Fourth ACM Conference on Data and Application Security and Privacy 2014
+
| [[DataEcho]]
|Mar 03-05<br>San Antonio, TX, USA
+
| [[Open Source]]
|http://www1.it.utsa.edu/codaspy/
+
| GUI
 +
| Windows
 +
| www, http
 +
|
 +
|
 
|-
 
|-
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
| [[Junkie]]
|Mar 24-25<br>West Lafayette, IN, USA
+
| [[Open Source]]
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
| GUI
 +
| unknown
 +
| unknown
 +
|
 +
|
 
|-
 
|-
|CyberPatterns 2014
+
| [[kisMAC]]
|Apr 11<br>Oxford, United Kingdom
+
| [[Open Source]]
|http://tech.brookes.ac.uk/CyberPatterns2014/
+
| GUI
 +
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
 +
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
 +
|
 +
|
 
|-
 
|-
|US Cyber Crime Conference 2014
+
| [[kismet]]
|Apr 29-May 02<br>Leesburg, VA
+
| [[Open Source]]
|http://www.usacybercrime.com/
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
 +
| Mac OS X
 +
| unknown
 +
|
 
|-
 
|-
|DFRWS-Europe 2014
+
| [[n2disk]]
|May 07-09<br>Amsterdam, Netherlands
+
| [[Open Source]]
|http://dfrws.org/2014eu/index.shtml
+
| Command Line, GUI
 +
| Ubuntu, CentOS
 +
| unknown
 +
|
 +
|
 
|-
 
|-
|8th International Conference on IT Security Incident Management & IT Forensics
+
| [[net-sniff-ng]]
|May 12-14<br>Muenster, Germany
+
| [[Open Source]]
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
+
| unknown
 +
| unknown
 +
| unknown
 +
|
 +
|
 
|-
 
|-
|2014 IEEE Symposium on Security and Privacy
+
| [[netfse]]
|May 16-23<br>Berkley, CA, USA
+
| [[Open Source]]
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
| GUI
 +
| unknown
 +
| TCP/IP, UDP
 +
|
 +
|
 
|-
 
|-
|9th ADFSL Conference on Digital Forensics, Security and Law
+
| [[netsleuth]]
|May 28-29<br>Richmond, VA
+
| [[Open Source]]
|http://www.digitalforensics-conference.org/
+
| Command Line, GUI
 +
| Windows, [[Backtrack]]
 +
| Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
 +
|
 +
|
 
|-
 
|-
|Techno-Security and Forensics Conference
+
| [[NetworkMiner]]
|Jun 01-04<br>Myrtle Beach, SC, USA
+
| [[Open Source]]
|http://www.techsec.com/html/Security%20Conference%202014.html
+
| Windows GUI, Commandline
 +
| Linux / Mac OS X / FreeBSD, Windows
 +
| http, smb, ftp, tfpt, ssl , tls, tor
 +
|
 +
|
 
|-
 
|-
|Mobile Forensics World
+
| [[ntop]]
|Jun 01-04<br>Myrtle Beach, SC, USA
+
| [[Open Source]]
|http://www.techsec.com/html/MFC-2014-Spring.html
+
| Command Line, GUI
 +
| Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows
 +
| DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
 +
|
 +
|
 +
|
 
|-
 
|-
|12th International Conference on Applied Cryptography and Network Security
+
| [[OSSEC]]
|Jun 10-13<br>Lausanne, Switzerland
+
| [[Open Source]]
|http://acns2014.epfl.ch/
+
| Command Line, GUI
 +
| Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)"
 +
| Unknown
 +
|
 +
|
 
|-
 
|-
|2nd ACM Workshop on Information Hiding and Multimedia Security
+
| [[Snort]]
|Jun 11-13<br>Salzburg, Austria
+
| [[Open Source]]
|http://www.ihmmsec.org/
+
| Command Line, GUI
 +
| Linux, Windows
 +
| Unknown
 +
|
 +
|  
 
|-
 
|-
|54th Conference on Audio Forensics
+
| [[Wireshark]]
|Jun 12-14<br>London, England
+
| [[Open Source]]
|http://www.aes.org/conferences/54/
+
| Command Line, GUI
|-
+
| Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others
|2014 USENIX Annual Technical Conference
+
| IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others
|Jun 19-20<br>Philadelphia, PA, USA
+
|
|https://www.usenix.org/conference/atc14
+
|
|-
+
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
+
|Jun 23-26<br>Atlanta, GA, USA
+
|http://www.dsn.org/
+
|-
+
|Symposium On Usable Privacy and Security (SOUPS) 2014
+
|Jul 09-11<br>Menlo Park, CA, USA
+
|http://cups.cs.cmu.edu/soups/2013/
+
|-
+
|Black Hat USA 2014
+
|Aug 02-07<br>Las Vegas, NV, USA
+
|https://www.blackhat.com
+
|-
+
|DFRWS 2014
+
|Aug 03-06<br>Denver, CO, USA
+
|http://dfrws.org/2014/index.shtml
+
|-
+
|RCFG GMU 2014
+
|Aug 04-08<br>Fairfax, VA, USA
+
|http://www.rcfg.org/gmu/
+
|-
+
|23rd USENIX Security Symposium
+
|Aug 20-22<br>San Diego, CA, USA
+
|https://www.usenix.org/conferences
+
|-
+
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
+
|Oct 06-10<br>Coeur d’Alene, ID, USA
+
|http://www.leva.org/annual-training-conference/
+
 
|-
 
|-
 +
| [[xplico]]
 +
| [[Open Source]]
 +
| Command Line, GUI
 +
| Linux
 +
| ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio).
 +
| Unknown
 +
|
 +
|
 +
|- class="sortbottom"
 +
! System
 +
! [[software license|License]]
 +
! User Interface
 +
! Supported Platform
 +
! Supported Protocols
 +
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
 
|}
 
|}
  
==See Also==
+
== Open Source Network Forensics ==
* [[Training Courses and Providers]]
+
* [[Argus]]
==References==
+
* [[Bulk Extractor]] [https://github.com/simsong/bulk_extractor]
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* [[DataEcho]]
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* [[FlowGREP]] is a basic IDS/IPS tool written in python [http://www.monkey.org/~jose/software/flowgrep/]
 +
* [[KisMAC]] is a free, open source wireless stumbling and security tool for Mac OS X. [http://kismac-ng.org]
 +
* [[Kismet]]
 +
* [[logstash]] is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs. [http://logstash.net/]
 +
 
 +
* [[log2Timeline]] a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts. [https://code.google.com/p/log2timeline/]
 +
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
 +
* [http://www.netgrab.co.uk NetSleuth] is a live and retrospective network analysis and triage tool.
 +
* [[ntop]]
 +
* [[NetGREP]] is a command line tool which tells you which lines in a text file contain network resources related to a particular country or Autonomous Network (AS) [https://pypi.python.org/pypi/netgrep/]
 +
* [[NetworkMiner]] is [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner an open source Network Forensics Tool available at SourceForge]
 +
* [[OSSEC]]
 +
* [[Plaso]] (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines [http://plaso.kiddaland.net/]
 +
 
 +
* [[RegRipper]] is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis [http://regripper.wordpress.com/]
 +
* [[Snort]]
 +
* [[Wireshark]]
 +
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
 +
 
 +
== Commercial Network Forensics ==
 +
 
 +
===Deep-Analysis Systems===
 +
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
 +
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
 +
* [http://www.infowatch.com InfoWatch Traffic Monitor]
 +
* Mera Systems [http://netbeholder.com/ NetBeholder]
 +
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
 +
* Solera Networks - Provider of full packet capture network forensics appliances [http://www.soleranetworks.com/ Solera Networks]
 +
* NETRESEC [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional (portable network forensic analysis tool for Windows)]
 +
* NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics [http://www.netwitness.com/ NetWitness]
 +
* Network Instruments [http://www.networkinstruments.com/]
 +
* NIKSUN's [[NetDetector]]
 +
* PacketMotion [http://www.packetmotion.com/]
 +
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
 +
* WildPackets [[OmniPeek]] [http://www.wildpackets.com/solutions/it_solutions/network_forensics] [http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer/forensics_search]
 +
* [[Xplico]] [http://www.xplico.org/]
 +
 
 +
===Flow-Based Systems===
 +
* Arbor Networks
 +
* CapAnalysis [http://www.capanalysis.net/]
 +
* GraniteEdge Networks
 +
* Lancope http://www.lancope.com/
 +
* Mantaro Product Development Services http://www.mantaro.com/products/MNIS/index.htm
 +
* Mazu Networks http://www.mazunetworks.com/
 +
 
 +
===Hybrid Systems===
 +
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
 +
* Q1 Labs  http://www.q1labs.com/
 +
 
 +
== Tips and Tricks ==
 +
 
 +
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
 +
 
 +
== See also ==
 +
* [[Wireless forensics]]
 +
* [[SSL forensics]]
 +
 
 +
* [[IP geolocation]]
 +
* [[Tools:Network Forensics]]
 +
* [[Tools:Logfile Analysis]]
 +
 
 +
[[Category:Network Forensics]]

Revision as of 08:10, 22 December 2013

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Overview

System License User Interface Supported Platform Supported Protocols Refs
Argus Open Source Command Line, GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
Chaosreader Open Source Command Line, GUI Solaris, RedHat, Windows FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
DataEcho Open Source GUI Windows www, http
Junkie Open Source GUI unknown unknown
kisMAC Open Source GUI Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
kismet Open Source Command Line /GUI via ArgusEye Mac OS X unknown
n2disk Open Source Command Line, GUI Ubuntu, CentOS unknown
net-sniff-ng Open Source unknown unknown unknown
netfse Open Source GUI unknown TCP/IP, UDP
netsleuth Open Source Command Line, GUI Windows, Backtrack Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
NetworkMiner Open Source Windows GUI, Commandline Linux / Mac OS X / FreeBSD, Windows http, smb, ftp, tfpt, ssl , tls, tor
ntop Open Source Command Line, GUI Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
OSSEC Open Source Command Line, GUI Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)" Unknown
Snort Open Source Command Line, GUI Linux, Windows Unknown
Wireshark Open Source Command Line, GUI Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others
xplico Open Source Command Line, GUI Linux ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio). Unknown
System License User Interface Supported Platform Supported Protocols Refs

Open Source Network Forensics

  • Argus
  • Bulk Extractor [1]
  • Chaosreader is a session reconstruction tool (supports both live or captured network traffic)
  • DataEcho
  • FlowGREP is a basic IDS/IPS tool written in python [2]
  • KisMAC is a free, open source wireless stumbling and security tool for Mac OS X. [3]
  • Kismet
  • logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs. [4]
  • log2Timeline a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts. [5]
  • NetFSE is a web-based search and analysis application for high-volume network data available at NetFSE.org
  • NetSleuth is a live and retrospective network analysis and triage tool.
  • ntop
  • NetGREP is a command line tool which tells you which lines in a text file contain network resources related to a particular country or Autonomous Network (AS) [6]
  • NetworkMiner is an open source Network Forensics Tool available at SourceForge
  • OSSEC
  • Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines [7]

Commercial Network Forensics

Deep-Analysis Systems

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also