network forensics

• "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
• "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis.

One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order. The U.S. FBI's Carnivore is a controversial example of a network forensics tool.

Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs).

Read more about network forensics: - O'Reilly Network provides an article by Simson Garfinkel, "Network Forensics: Tapping the Internet." - Information Security Magazine provides a survey of products in its article, "Analyze This!" - SearchSecurity.com provides links to articles on "Infrastructure and Network Security."

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows registry forensics guide: Investigating hacker activities Ed Skoudis explains how investigators can interact with the registry to analyze a compromised system and unveils several reg commands that can be used... More built-in Windows commands for system analysis Ed Skoudis defines five more useful Windows commands that can provide new insight into the realm of Windows analysis. Is security improved when the number of Internet gateways is reduced? A single entry point has often been thought easier to defend than multiple entry points. There are some caveats to reducing the number of Internet...

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) Einstein is the network monitoring tool used by the United States federal government's Department of Homeland Security (DHS). Einstein is used to...