Difference between pages "Network forensics" and "Purdue CyberForensics Lab"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(General)
 
 
Line 1: Line 1:
'''Network forensics''' is the process of capturing information that moves over a [[network]] and trying to make sense of it in some kind of forensics capacity. A [[network forensics appliance]] is a device that automates this process.
+
== Project Coordinator ==
  
There are both open source and proprietary network forensics systems available.
+
* [[Richard P. Mislan|Richard P. Mislan]] (http://www.ssddforensics.com/)
  
== General ==
+
== Students ==
  
<!--
+
*
 +
*
 +
*
  
  PLEASE DO NOT ADD ENTRIES THAT DO NOT HAVE AN ARTICLE.
+
== External Links ==
  
  Please keep these in alphabetical order.
+
* [[http://cyberforensics.purdue.edu/|Purdue CyberForensics Lab]]
 
+
  When updating any table, please update all tables as appropriate.
+
 
+
-->
+
 
+
{| class="wikitable sortable" style="width: auto; font-size: smaller"
+
|-
+
! System
+
! [[software license|License]]
+
! User Interface
+
! Supported Platform
+
! Supported Protocols
+
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
+
|
+
|
+
|-
+
| [[Argus]]
+
| [[Open Source]]
+
| Command Line, GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
|
+
|
+
|-
+
| [[Chaosreader]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Solaris, RedHat, Windows
+
| FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs
+
|
+
|
+
|-
+
| [[DataEcho]]
+
| [[Open Source]]
+
| GUI
+
| Windows
+
| www, http
+
|
+
|
+
|-
+
| [[Junkie]]
+
| [[Open Source]]
+
| GUI
+
| unknown
+
| unknown
+
|
+
|
+
|-
+
| [[kisMAC]]
+
| [[Open Source]]
+
| GUI
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
| L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow
+
|
+
|
+
|-
+
| [[kismet]]
+
| [[Open Source]]
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X
+
| unknown
+
|
+
|-
+
| [[n2disk]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Ubuntu, CentOS
+
| unknown
+
|
+
|
+
|-
+
| [[net-sniff-ng]]
+
| [[Open Source]]
+
| unknown
+
| unknown
+
| unknown
+
|
+
|
+
|-
+
| [[netfse]]
+
| [[Open Source]]
+
| GUI
+
| unknown
+
| TCP/IP, UDP
+
|
+
|
+
|-
+
| [[netsleuth]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Windows, [[Backtrack]]
+
| Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config)
+
|
+
|
+
|-
+
| [[NetworkMiner]]
+
| [[Open Source]]
+
| Windows GUI, Commandline
+
| Linux / Mac OS X / FreeBSD, Windows
+
| http, smb, ftp, tfpt, ssl , tls, tor
+
|
+
|
+
|-
+
| [[ntop]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows
+
| DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP
+
|
+
|
+
|-
+
| [[OSSEC]]
+
| [[Open Source]]
+
| Command Line, GUI
+
| "GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
+
Windows 7, XP, 2000 and Vista
+
Windows Server 2003 and 2008
+
VMWare ESX 3.0,3.5 (including CIS checks)
+
FreeBSD (all versions)
+
OpenBSD (all versions)
+
NetBSD (all versions)
+
Solaris 2.7, 2.8, 2.9 and 10
+
AIX 5.3 and 6.1
+
HP-UX 10, 11, 11i
+
MacOSX 10
+
 
+
remote syslog:
+
Cisco PIX, ASA and FWSM (all versions)
+
Cisco IOS routers (all versions)
+
Juniper Netscreen (all versions)
+
SonicWall firewall (all versions)
+
Checkpoint firewall (all versions)
+
Cisco IOS IDS/IPS module (all versions)
+
Sourcefire (Snort) IDS/IPS (all versions)
+
Dragon NIDS (all versions)
+
Checkpoint Smart Defense (all versions)
+
McAfee VirusScan Enterprise (v8 and v8.5)
+
Bluecoat proxy (all versions)
+
Cisco VPN concentrators (all versions)
+
 
+
Database monitoring is available for the following systems:
+
MySQL (all versions)
+
PostgreSQL (all versions)
+
Oracle, MSSQL (to be available soon)"
+
|
+
|-
+
| [[Snort]]
+
| [[Open Source]]
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
|
+
|-
+
| [[Wireshark]]
+
| [[Open Source]]
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
|
+
|-
+
| [[xplico]]
+
| [[Open Source]]
+
| Command Line /GUI via [http://www.datenspionage.de/arguseye/ ArgusEye]
+
| Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt
+
|
+
 
+
 
+
|- class="sortbottom"
+
! System
+
! [[software license|License]]
+
! User Interface
+
! Supported Platform
+
! Supported Protocols
+
! class="unsortable" | Refs <!-- This column is for a general reference and does not replace the need to identify references for specific features if the feature is not explained in the general reference -->
+
|}
+
 
+
== Open Source Network Forensics ==
+
 
+
* [[Wireshark]]
+
* [[Kismet]]
+
* [[Snort]]
+
* [[Argus]]
+
* [[OSSEC]]
+
* [[NetworkMiner]] is [http://sourceforge.net/apps/mediawiki/networkminer/index.php?title=NetworkMiner an open source Network Forensics Tool available at SourceForge]
+
* [[Xplico]] is an Internet/IP Traffic Decoder (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
* [[DataEcho]]
+
* [[ntop]]
+
* [[KisMAC]] is a free, open source wireless stumbling and security tool for Mac OS X. [http://kismac-ng.org]
+
* [[Chaosreader]] is a session reconstruction tool (supports both live or captured network traffic)
+
* [[NetFSE]] is a web-based search and analysis application for high-volume network data [http://www.netfse.org available at NetFSE.org]
+
* [http://www.netgrab.co.uk NetSleuth] is a live and retrospective network analysis and triage tool.
+
 
+
== Commercial Network Forensics ==
+
 
+
===Deep-Analysis Systems===
+
* WildPackets [[OmniPeek]] [http://www.wildpackets.com/solutions/it_solutions/network_forensics] [http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer/forensics_search]
+
* E-Detective [http://www.edecision4u.com/] [http://www.digi-forensics.com/home.html]
+
* Code Green Networks [http://www.codegreennetworks.com Content Inspection Appliance] - Passive monitoring and mandatory proxy mode. Easy to use Web GUI. Linux platform. Uses Stellent Outside In to access document content and metadata.
+
* NETRESEC [http://www.netresec.com/?page=NetworkMiner NetworkMiner Professional (portable network forensic analysis tool for Windows)]
+
* NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics [http://www.netwitness.com/ NetWitness]
+
* Network Instruments [http://www.networkinstruments.com/]
+
* NIKSUN's [[NetDetector]]
+
* PacketMotion [http://www.packetmotion.com/]
+
* Sandstorm's [http://www.sandstorm.net/products/netintercept/ NetIntercept] - Passive monitoring appliance. Qt/X11 GUI. FreeBSD platform. Uses forensic parsers written by Sandstorm to access document content and metadata.
+
* Mera Systems [http://netbeholder.com/ NetBeholder]
+
* [http://www.infowatch.com InfoWatch Traffic Monitor]
+
* MFI Soft [http://sormovich.ru/ SORMovich] (in Russian)
+
* Solera Networks - Provider of full packet capture network forensics appliances [http://www.soleranetworks.com/ Solera Networks]
+
 
+
===Flow-Based Systems===
+
* Arbor Networks
+
* GraniteEdge Networks
+
* Lancope http://www.lancope.com/
+
* Mantaro Product Development Services http://www.mantaro.com/products/MNIS/index.htm
+
* Mazu Networks http://www.mazunetworks.com/
+
 
+
===Hybrid Systems===
+
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.
+
* Q1 Labs  http://www.q1labs.com/
+
 
+
== Tips and Tricks ==
+
 
+
* The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
+
 
+
== See also ==
+
* [[Wireless forensics]]
+
* [[SSL forensics]]
+
 
+
* [[IP geolocation]]
+
* [[Tools:Network Forensics]]
+
* [[Tools:Logfile Analysis]]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 16:36, 31 March 2006

Project Coordinator

Students

External Links