Difference between revisions of "Network forensics"

From Forensics Wiki
Jump to: navigation, search
(Flow-Based Systems)
(Open Source Network Forensics)
Line 16: Line 16:
 
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
 
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
 
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
 
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
 +
* [http://www.netgrab.co.uk NetSleuth] is a live and retrospective network analysis and triage tool.
  
 
== Commercial Network Forensics ==
 
== Commercial Network Forensics ==

Revision as of 14:25, 5 February 2012

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Contents

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also