Name: NetWitness Appliance (Group Test: Forensic tools)
- Powerful network forensics tool.
- No answer to encrypted traffic, no remote/web GUI.
- Superb tool for capturing and analyzing network behavior.
SC Labs Reviews
Reviews from our expert team
NetWitness is a network forensics and analysis package available in both software and appliance (really just a preconfigured server) formats.
We tested the appliance. It was easy enough to set up, but we were surprised to have to connect a keyboard and screen in this day of ubiquitous web front ends. You could use terminal services or VNC, but we would have liked a web front end, too.
NetWitness captures all traffic in promiscuous mode, regularly indexing and writing the packets. The traffic is analyzed at every level of the stack up to layer seven, and can then be analyzed using a browser tool, which is where most of the real work with the product is done. Obviously, this sort of packet capture is intensive work, but with a Gigabit interface it should be happy enough on a span port at a choke point like your internet gateway or some strategic internal location. You can easily manage multiple systems, and integrate them into your IDS environment.
The NetWitness Browser consists of a left-hand menu with viewing options for the types of disassembly on offer. These drill down into the captured data by protocol, service (HTTP, IM), time, and so on. Particularly powerful are options to drill down by identified user names (from any service – web mail, IM, Netbios) and by file (email attachments, FTP transfers and others). This enables quick and easy correlation across multiple services. Within each category, a list of specific options is available, and many have further levels of detail.
The right hand side shows a brief overview of the transaction at the top, and a lower pane holds the raw data – which can be displayed in many ways, from the standard hex/text/packet views to more powerful reassembly.
NetWitness can reassemble web pages, email, file attachments, images and even VOIP.
Unfortunately, the stumbling block is network encryption. The device cannot see inside SSL transactions, of course, and as more products are offering built-in crypto, this might become more of a problem.
Additional services such as a geographical location tool help pinpoint where connections start. And powerful query tools round it all out. A comprehensive, but primitive, command line provides access to the internal database.
For traffic analysis, we rate NetWitness highly. It is polished and thorough, and a valuable tool.