network forensics

Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.

Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents. (The term, attributed to firewall expert Marcus Ranum, is borrowed from the legal and criminology fields where forensics pertains to the investigation of crimes.) According to Simson Garfinkel, author of several books on security, network forensics systems can be one of two kinds:

  • "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
  • "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis.

One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order. The U.S. FBI's Carnivore is a controversial example of a network forensics tool.

Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs).

This was first published in September 2005

Continue Reading About network forensics

Glossary

'network forensics' is part of the:

View All Definitions

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close