Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.)

According to Simson Garfinkel, author of several books on security, network forensics systems can be one of two kinds:
• "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.

• "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.
Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis.
One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured.
Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order.
• Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs).



Network Forensic Tools
Tags:
Forensic ToolKit, AccessData Corp., Email Examiner, Encase, Guidance Software, Paraben Corp, ProDiscover, Sleuth Kit, Tech-nology Pathways, chain of custody, dtSearch, dtSearch Corp, evidence, hash, incident investigation, intellectual property theft, le-gal team, network forensics, network penetration, Access and Physical Security, Cyberterrorism, Data Protection, Other, Security Policies and Management, Security and Privacy, Software, Software and Web Development, Threats and Attacks, information security


Stages
Stage 1:
Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools.


Stage 2:
Primary analysis and drive-image acquisition. This stage usually entails obtaining the hard disk of a suspect machine and investigating it in a controlled (not live) environment. AccessData Forensic Toolkit, Encase Forensic Edition and the open-source Sleuth Kit fit this stage. Any one can be used as the primary investigative tool in environments that don't require a network-capable acquisition application. All these products can acquire a full sector-by-sector drive image of any hard disk under investigation; additional sleuthing functionality varies by application.


Stage 3:
Fine-grained keyword searches through disk or partition contents, e-mail-specific searches or Internet history analysis. Paraben's NetAnalysis, E-Mail Examiner and Net E-Mail Examiner, and dtSearch's dtSearch excel here. These tools operate on disk images created by any of the applications from Stages 1 or 2.





NetDetector

NetDetector is a full-featured appliance for network security surveillance, signature-based anomaly detection, analytics and forensics. It complements existing network security tools, such as firewalls, intrusion detection/prevention systems and switches/routers, to help provide comprehensive defense of hosted intellectual property, mission-critical network services and infrastructure

NetIntercept

NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.

NetVCR

NetVCR delivers comprehensive real-time network, service and application performance management. It is an integrated, single-point solution that decisively replaces multiple network performance monitoring and troubleshooting systems. NetVCR’s scalable architecture easily adapts to data centers, core networks, remote branches or central offices for LAN and WAN requirements

NIKSUN

NIKSUN’s Full-Function Appliance combines the value of both NetDetector and NetVCR for complete network performance and security surveillance.

This plug-and-play appliance offers customers a complete range of network security and performance monitoring solutions that identify, capture and analyze the root-cause of any security or network incident the first time!

The unique enterprise-wide network visibility provided by this product is extremely attractive to large enterprises requiring an integrated and proactive solution to combat the constant barrage of security and network incidents such as worms, viruses, Trojan-horse attacks, Denial of Service (DoS) attacks, outages, overload and service slowdown, etc.

NetOmni

NetOmni provides global visibility across the network so IT professionals can manage multiple products and vendors from one central location.

NetOmni streamlines the network management process in a manner conducive to a “best-practices” model that ensures Service Level Agreements (SLA), Quality of Services (QoS) and maximum revenue opportunities.


NISUN (Puma Portable)

NIKSUN's Puma, a portable network monitoring appliance, allows customers to leverage the state-of-the-art network performance, security and compliance monitoring technology as a robust luggable appliance that can be conveniently used in the field.

Deployed in a few short steps, Puma offers with exceptional functionality of NIKSUN's renowned performance and security monitoring technology within minutes to field personnel. Puma, is now capable of monitoring networks at 10G speeds.

The incorporation of real-time 10G monitoring to the Puma feature-set enhances the already excellent value that Puma provides to customers, making it the go-to portable monitoring and forensics tool for network professionals

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.

[u]