Network forensics
Network forensics is the process of capturing information that moves over a network and trying to make sense of it in some kind of forensics capacity. A network forensics appliance is a device that automates this process.
There are both open source and proprietary network forensics systems available.
Overview
| System | License | User Interface | Supported Platform | Supported Protocols | Refs | ||
|---|---|---|---|---|---|---|---|
| Argus | Open Source | Command Line, GUI via ArgusEye | Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt | L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow | |||
| Chaosreader | Open Source | Command Line, GUI | Solaris, RedHat, Windows | FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs | |||
| Junkie | Open Source | GUI | unknown | unknown | |||
| kisMAC | Open Source | GUI | Mac OS X, Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, IRIX, Windows (under Cygwin) and OpenWrt | L2 addresses, tunnel identifiers (MPLS, GRE, ESP, etc...), protocol ids, SAP's, hop-count, options, L4 transport identification (RTP, RTCP detection), host flow control indication; netflow | |||
| kismet | Open Source | Command Line /GUI via ArgusEye | Mac OS X | unknown | |||
| n2disk | Open Source | Command Line, GUI | Ubuntu, CentOS | unknown | |||
| net-sniff-ng | Open Source | unknown | unknown | unknown | |||
| netfse | Open Source | GUI | unknown | TCP/IP, UDP | |||
| netsleuth | Open Source | Command Line, GUI | Windows, Backtrack | Apple MDNS / Bonjour, SMB / CIFS / NetBios, DHCP (using the www.fingerbank.org resource), SSDP (as used in Microsoft Zero Config) | |||
| NetworkMiner | Open Source | Windows GUI, Commandline | Linux / Mac OS X / FreeBSD, Windows | http, smb, ftp, tfpt, ssl , tls, tor | |||
| ntop | Open Source | Command Line, GUI | Unix (including Linux, *BSD, Solaris, and MacOSX), linux, windows | DPI via OpenDPI Library; FTP POP SMTP IMAP DNS IPP HTTP MDNS NTP NFS SSDP BGP SNMP XDMCP SMB SYSLOG DHCP PostgreSQL MySQL TDS DirectDownloadLink I23V5 AppleJuice DirectConnect Socrates WinMX MANOLITO PANDO Filetopia iMESH Kontiki OpenFT Kazaa/Fasttrack Gnutella eDonkey Bittorrent (Extended) OFF AVI Flash OGG MPEG QuickTime RealMedia Windowsmedia MMS XBOX QQ MOVE RTSP Feidian Icecast PPLive PPStream Zattoo SHOUTCast SopCast TVAnts TVUplayer VeohTV QQLive Thunder/Webthunder Soulseek GaduGadu IRC Popo Jabber MSN Oscar Yahoo Battlefield Quake Second Life Steam Halflife2 World of Warcraft Telnet STUN IPSEC GRE ICMP IGMP EGP SCTP OSPF IP in IP RTP RDP VNC PCAnywhere SSL SSH USENET MGCP IAX TFTP | |||
| OSSEC | Open Source | Command Line, GUI | Windows 7, XP, 2000 and Vista Windows Server 2003 and 2008 VMWare ESX 3.0,3.5 (including CIS checks) FreeBSD (all versions) OpenBSD (all versions) NetBSD (all versions) Solaris 2.7, 2.8, 2.9 and 10 AIX 5.3 and 6.1 HP-UX 10, 11, 11i MacOSX 10 remote syslog: Cisco PIX, ASA and FWSM (all versions) Cisco IOS routers (all versions) Juniper Netscreen (all versions) SonicWall firewall (all versions) Checkpoint firewall (all versions) Cisco IOS IDS/IPS module (all versions) Sourcefire (Snort) IDS/IPS (all versions) Dragon NIDS (all versions) Checkpoint Smart Defense (all versions) McAfee VirusScan Enterprise (v8 and v8.5) Bluecoat proxy (all versions) Cisco VPN concentrators (all versions) Database monitoring is available for the following systems: MySQL (all versions) PostgreSQL (all versions) Oracle, MSSQL (to be available soon)" | Unknown | |||
| Snort | Open Source | Command Line, GUI | Linux, Windows | Unknown | |||
| Wireshark | Open Source | Command Line, GUI | Windows, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, and others | IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2; Wireshark can decrypt IEEE 802.11 WLAN data with user specified encryption keys, and others | |||
| xplico | Open Source | Command Line, GUI | Linux | ARP Radiotap Ethernet PPP VLAN L2TP IPv4 IPv6 TCP UDP DNS HTTP SMTP POP IMAP SIP MGCP H323 RTP RTCP SDP FB chat FTP IPP CHDLC PJL NNTP MSN IRC YAHOO GTALK EMULE SSL/TLS IPsec 802.11 LLC MMSE Linux cooked TFTP SNOOP PPPoE Telnet WebMail Paltalk Exp. Paltalk NetBIOS SMB PPI syslog G711ulaw, G711alaw, G722, G729, G723, G726 and RTAudio (x-msrta: Real Time Audio). | Unknown | ||
| System | License | User Interface | Supported Platform | Supported Protocols | Refs |
Tips and Tricks
- The time between two events triggered by an intruder (as seen in logfiles, for example) can be helpful. If it is very short, you can be pretty sure that the actions were performed by an automated script and not by a human user.
See also
External links
- Default Time To Live (TTL) values
- http2 explained, by Daniel Stenberg, February 18, 2015
Tools
Open Source Network Forensics
- Argus
- Bulk Extractor
- Chaosreader is a session reconstruction tool (supports both live or captured network traffic)
- FlowGREP is a basic IDS/IPS tool written in Python
- KisMAC is a free, open source wireless stumbling and security tool for Mac OS X.
- Kismet
- logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). Speaking of searching, logstash comes with a web interface for searching and drilling into all of your logs.
- log2Timeline a framework for automatic creation of a super timeline. The main purpose is to provide a single tool to parse various log files and artifacts found on suspect systems (and supporting systems, such as network equipment) and produce a timeline that can be analysed by forensic investigators/analysts.
- NetFSE is a web-based search and analysis application for high-volume network data.
- ntop
- NetGREP is a command line tool which tells you which lines in a text file contain network resources related to a particular country or Autonomous Network (AS)
- NetworkMiner is an open source Network Forensics Tool available at SourceForge
- OSSEC
- Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
- RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis
- Snort
- Wireshark
- Xplico.
Commercial Network Forensics
Deep-Analysis Systems
- E-Detective
- InfoWatch Traffic Monitor
- Mera Systems NetBeholder
- NETRESEC NetworkMiner Professional (portable network forensic analysis tool for Windows)
- NetWitness Corporation - Freeware/Commercial, Enterprise-Wide, Real-Time Network Forensics NetWitness
- Network Instruments
- NIKSUN's NetDetector
- PacketMotion
- WildPackets OmniPeek
- Xplico
- Expert Team - 3i System
Flow-Based Systems
- Arbor Networks
- CapAnalysis
- GraniteEdge Networks
- Lancope
- Mantaro Product Development Services
- Mazu Networks
Hybrid Systems
These systems combine flow analysis, deep analysis, and security event monitoring and reporting.