Difference between pages "Email Headers" and "Network forensics"

Revision as of 15:38, 14 April 2006

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Open Source Network Forensics

Snort

Proprietary Network Forensics

Sandstorm's NetIntercept
NIKSUN's NetDetector
ManTech International Corporation NetWitness

Tips and Tricks

The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

@@ Line 1: / Line 1: @@
-'''Email Headers''' are lines of [[metadata]] attached to each [[email]] that contain lots of useful information for a [[forensic investigator]]. However, email headers can be easily forged, so they should never be used as the only source of information.
+'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
-== Example ==
+There are both open source and proprietary network forensics systems available.
-This is an (incomplete) excerpt from an email header:
+== Open Source Network Forensics ==
- Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
+* [[Snort]]
-         by outgoing2.securityfocus.com (Postfix) with QMQP
-         id 7E9971460C9; Mon,  9 Jan 2006 08:01:36 -0700 (MST)
- Mailing-List: contact forensics-help@securityfocus.com; run by ezmlm
- Precedence: bulk
- List-Id: <forensics.list-id.securityfocus.com>
- List-Post: <mailto:forensics@securityfocus.com>
- List-Help: <mailto:forensics-help@securityfocus.com>
- List-Unsubscribe: <mailto:forensics-unsubscribe@securityfocus.com>
- List-Subscribe: <mailto:forensics-subscribe@securityfocus.com>
- Delivered-To: mailing list forensics@securityfocus.com
- Delivered-To: moderator for forensics@securityfocus.com
- Received: (qmail 20564 invoked from network); 5 Jan 2006 16:11:57 -0000
- From: YJesus <yjesus@security-projects.com>
- To: forensics@securityfocus.com
- Subject: New Tool : Unhide
- User-Agent: KMail/1.9
- MIME-Version: 1.0
- Content-Disposition: inline
- Date: Thu, 5 Jan 2006 16:41:30 +0100
- Content-Type: text/plain;
-   charset="iso-8859-1"
- Content-Transfer-Encoding: quoted-printable
- Message-Id: <200601051641.31830.yjesus@security-projects.com>
- X-HE-Spam-Level: /
- X-HE-Spam-Score: 0.0
- X-HE-Virus-Scanned: yes
- Status: RO
- Content-Length: 586
- Lines: 26
-== External Links ==
+== Proprietary Network Forensics ==
-* http://en.wikipedia.org/wiki/Computer_forensics#E-mail_Headers
+* Sandstorm's [[NetIntercept]]
+* NIKSUN's [[NetDetector]]
+* ManTech International Corporation [http://www.netwitness.com/ NetWitness]
+== Tips and Tricks ==
+* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

Difference between pages "Email Headers" and "Network forensics"

Revision as of 15:38, 14 April 2006

Open Source Network Forensics

Proprietary Network Forensics

Tips and Tricks

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox