Difference between revisions of "Network forensics"

From ForensicsWiki
Jump to: navigation, search
(General)
(General)
(2 intermediate revisions by the same user not shown)
Line 3: Line 3:
 
There are both open source and proprietary network forensics systems available.
 
There are both open source and proprietary network forensics systems available.
  
== General ==
+
== Overview ==
  
 
<!--
 
<!--
Line 119: Line 119:
 
| DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
 
| DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
 
|
 
|
|  
+
|
 +
|
 
|-
 
|-
 
| [[OSSEC]]
 
| [[OSSEC]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)"
 +
| Unknown
 +
|
 
|  
 
|  
 
|-
 
|-
 
| [[Snort]]
 
| [[Snort]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI  
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Linux, Windows
 +
| Unknown
 +
|
 
|  
 
|  
 
|-
 
|-
 
| [[Wireshark]]
 
| [[Wireshark]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Command Line, GUI
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others
|  
+
| IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others
 +
|
 +
|
 
|-
 
|-
 
| [[xplico]]
 
| [[xplico]]
 
| [[Open Source]]
 
| [[Open Source]]
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Unknown
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| Unknown
|  
+
| ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio).
 
+
| Unknown
 
+
|
 +
|
 
|- class="sortbottom"
 
|- class="sortbottom"
 
! System
 
! System

Revision as of 22:34, 17 March 2013

Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.

There are both open source and proprietary network forensics systems available.

Overview

System License User Interface Supported Platform Supported Protocols Refs
Argus Open Source Command Line, GUI via ArgusEye Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
Chaosreader Open Source Command Line, GUI Solaris, RedHat, Windows FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
DataEcho Open Source GUI Windows www, http
Junkie Open Source GUI unknown unknown
kisMAC Open Source GUI Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
kismet Open Source Command Line /GUI via ArgusEye Mac OS X unknown
n2disk Open Source Command Line, GUI Ubuntu, CentOS unknown
net-sniff-ng Open Source unknown unknown unknown
netfse Open Source GUI unknown TCP/IP, UDP
netsleuth Open Source Command Line, GUI Windows, Backtrack Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
NetworkMiner Open Source Windows GUI, Commandline Linux / Mac OS X / FreeBSD, Windows http, smb, ftp, tfpt, ssl , tls, tor
ntop Open Source Command Line, GUI Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
OSSEC Open Source Command Line, GUI Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)" Unknown
Snort Open Source Command Line, GUI Linux, Windows Unknown
Wireshark Open Source Command Line, GUI Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others
xplico Open Source Unknown Unknown ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio). Unknown
System License User Interface Supported Platform Supported Protocols Refs

Open Source Network Forensics

Commercial Network Forensics

Deep-Analysis Systems

Flow-Based Systems

Hybrid Systems

These systems combine flow analysis, deep analysis, and security event monitoring and reporting.

Tips and Tricks

  • The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.

See also