network forensics

• "Catch-it-as-you-can" systems, in which all packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage, usually involving a RAID system.
• "Stop, look and listen" systems, in which each packet is analyzed in a rudimentary way in memory and only certain information saved for future analysis. This approach requires less storage but may require a faster processor to keep up with incoming traffic.

Both approaches require significant storage and the need for occasional erasing of old data to make room for new. The open source programs tcpdump and windump as well as a number of commercial programs can be used for data capture and analysis.

One concern with the "catch-it-as-you-can" approach is one of privacy since all packet information (including user data) is captured. Internet service providers (ISPs) are expressly forbidden by the Electronic Communications Privacy Act (ECPA) from eavesdropping or disclosing intercepted contents except with user permission, for limited operations monitoring, or under a court order. The U.S. FBI's Carnivore is a controversial example of a network forensics tool.

Network forensics products are sometimes known as Network Forensic Analysis Tools (NFATs).

Read more about network forensics: - O'Reilly Network provides an article by Simson Garfinkel, "Network Forensics: Tapping the Internet." - Information Security Magazine provides a survey of products in its article, "Analyze This!" - SearchSecurity.com provides links to articles on "Infrastructure and Network Security."

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Chained Exploits: How to prevent phishing attacks from corporate spies Ever wonder if someone is monitoring everywhere you go on the Internet? In this chapter excerpt, learn how to keep corporate spies at bay. PCI compliance requirement 10: Auditing Diana Kelley and Ed Moyle of Security Curve review PCI compliance requirement 10: "Track and monitor all access to network resources and cardholder... Know when you need IDS, IPS or both Cut through the hype and learn the differences and benefits of intrusion detection and prevention systems.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) Einstein is the network monitoring tool used by the United States federal government's Department of Homeland Security (DHS). Einstein is used to...