Difference between revisions of "Network forensics"

From Forensics Wiki
Jump to: navigation, search
m (added Tools:Logfile Analysis)
(removed dead link to GraniteEdge Networks, added InfoWatch Traffic Monitor)
Line 13: Line 13:
  
 
== Commercial Network Forensics ==
 
== Commercial Network Forensics ==
 +
 
===Deep-Analysis Systems===
 
===Deep-Analysis Systems===
 
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
 
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
Line 22: Line 23:
 
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
 
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
 
* Mera Systems [http://netbeholder.com/ NetBeholder]
 
* Mera Systems [http://netbeholder.com/ NetBeholder]
 +
* [http://www.infowatch.com/trafficmonitor InfoWatch Traffic Monitor]
  
 
===Flow-Based Systems===
 
===Flow-Based Systems===
 
* Arbor Networks
 
* Arbor Networks
* GraniteEdge Networks http://www.graniteedgenetworks.com/
+
* GraniteEdge Networks
 
* Lancope http://www.lancope.com/
 
* Lancope http://www.lancope.com/
 
* Mazu Networks http://www.mazunetworks.com/
 
* Mazu Networks http://www.mazunetworks.com/

Revision as of 14:16, 17 October 2008

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Contents

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

  • E-Detective [1] [2]
  • Code Green Networks Content Inspection Appliance - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
  • ManTech International Corporation NetWitness
  • Network Instruments [3]
  • NIKSUN's NetDetector
  • PacketMotion [4]
  • Sandstorm's NetIntercept - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
  • Mera Systems NetBeholder
  • InfoWatch Traffic Monitor

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also