Q

How to perform a network forensic analysis and investigation

Situation: A breach has occurred at your enterprise, and you need to gather relevant data, fast. What tools can you use to get the job done? In this expert response, Mike Chapple gives pointers on which network forensic analysis tools can help.

What are the current views on networking with regards to gathering of forensic data over a network, and forensic

analysis of network activity?

Forensic analysis of network data allows investigators to reconstruct network activity during a particular period of time. These techniques are commonly used to investigate individuals suspected of crimes and to reconstruct the sequence of events that took place during a network-based information security incident.

There are many network forensic analysis tools you can use, several of which may already be present on your network. Here's a rundown of some of the most common network forensic analysis tools:

  • Intrusion detection systems (IDS) offer a security-based perspective on network activity. They monitor the network for suspicious traffic and alert administrators when such traffic occurs. The records generated by an IDS play a valuable role when reconstructing a security incident.
  • Packet capture tools allow you to record every bit that travels on your network or to limit the data captured so only data that has particular connection characteristics (such as 'to' or 'from' a specific system) is allowed. Due to the large volume of data generated by these tools in a short period of time, it's not feasible to retain packet capture data for an extended length of time.
  • A NetFlow data collector records data on each network connection passing through the monitored device(s). This data includes the source, destination and volume of data passed. While it's not possible to preserve packet flows for an extended period of time, NetFlow data may be preserved for a longer period as it only contains summary data about each connection.

These three tools are commonly available on most networks and provide an excellent starting point for a network forensic investigation.

More on this topic

This was first published in April 2009

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close