Network forensics

This month we carved up the digital forensic tool universe into two subsets. The network-based tools covered some interesting territory. There are two classes of tools that seem to be lumped into the network forensics category. The first category is tools that do much of what traditional computer forensics tools do – only they do it over a network. The second category is tools that analyze traffic over the network. We saw both.

The tools that analyze computers over the network usually are able to look at some things that typical computer forensics tools cannot see. It also is easy to watch file openings and closings. These additional abilities provide the analyst with more forensic data, while allowing a traditional view of the device’s media.
The network forensic tools that watch the traffic on the network are of more than one type as well. Some of these tools are designed specifically for forensic analysis of network activity. Some – most, in fact – are intended to do double duty as log aggregators/analysts and forensic analysis tools.

These products take input from a variety of log sources. They may or may not have explicit forensic functionality, but they all provide the necessary features that enable forensic analysis over the network whether implicitly or explicitly.

We also saw niche products, such as one that simply goes out to the network and discovers all of the computers within a range of IP addresses. It then tells a bit about what it finds. This is a first step in analyzing a network. One might think of this tool as a sort of commercial Nmap. However, the information it gathers is focused on that which is needed as a preliminary step in forensic analysis of a network and its devices.

Buying network forensics
This is not an easy topic to discuss because we start by examining everything from niche products to pure forensic products. The real answer here is that you should think of your forensic tools in terms of a forensic tool kit. What I am talking about is your collection of forensic tools, some of which are absolutely simple specialized products for single tasks.

Forensic analysis has become a complicated process. Not everything that you do during the analysis process yields evidence directly. Some of the functions will simply help you understand the network better, look for anomalies and, perhaps most important, lead you to where useful evidence resides. In that regard, some of our tools shine.

Begin your buying process by selecting one or two computer forensics tools. Just as in network tools, there will be some niche tools that perform specialized tasks, such as cell phone analysis. The reason you select more than a single tool here is a bit complicated. First, you may need the functionality of some of the more focused tools. Second, it is a good idea to use more than a single computer forensics tool. Not all of these tools behave the same way or see exactly the same things in the same ways.

Once you are ready to start looking at network tools, consider how you will use these tools. Do you need to do analysis of individual computers over the network? If so, an over-the-network computer forensics tool will be useful. Are you just using forensics to analyze suspected criminal activity or violations of policy? Or are you incorporating digital forensic analysis in your incident management/response program? How large is your enterprise? Is it geographically disbursed? These questions, answered in the affirmative, suggest that a remote forensics tool may be useful.

Next, look for the niche tools just as you did in the media tools category. These are utilities that help you manage forensic tasks.

Finally, it’s time to invoke the big guns. These are the log analysis tools. They aggregate and correlate the data from all of the logging devices on the enterprise and then analyze them for commonalities that allow correlation of individual activities into a single, overall picture of an incident. Some of these products have an explicit forensic function. If you are going to use such a tool for forensics, you either need a forensic function that helps you manage such things as chain of custody, or you will need to do them manually.

One important facet of this product group is its overall excellence. We had a hard time picking a Best Buy and a Recommended product. Regardless of what you need to do, there are products out there to help you, and these are at the head of the class.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.