Network forensics is the capture, recording, and analysis of network events. Typically, network forensics’ tools employ simple and complex filters to mine stored data to reveal anomalies (what caused them and what the results were on a network performance). The common perception is that network forensics is used to discover the source of security attacks. The recent denial-of-service attacks on Twitter is a recent headline example where network forensics was used to help identify the perpetrator. So while security attacks get the most attention, network forensics can be used for other problem incidents. Even beyond problem incidents, network forensics can even be used for things like business analysis. Below are three network forensics use cases, not including security attacks, for consideration.
1) Monitoring User Activity
Social networking sites like Facebook and Twitter have been shown to sap productivity in the workplace. As a result, many organizations have user policies that prohibit, or at least curtail such activities. Recently, the U.S. Marine Corp. banned marines from using Twitter for a year, as well as Facebook. Additionally, policies prohibiting non-work related “bandwidth sucking”download activities (music, videos, games, etc) are common. Lastly, users may not be going though a proxy server opening up the network to various malware. Network forensics allows all these “rogue” activities to be monitored revealing details as to who broke policy, what policy infraction was committed, and at what time it occurred.
2) Business transaction analysis
For transactions that take place in clear text like SQL, http request, FTP, or telnet, network forensics allows the network administrator to create the ultimate audit trail for business transactions. Not just server activity, but the business transactions enacted by clients and servers. Additionally, network forensics can serve to troubleshoot the transaction problems that server logs
3) Pinpointing the source of intermittent performance issues
On a practical level, here’s where network forensics’ tools really come in handy – the capturing and handling intermittent network problems, especially those problems that occurred hours or days ago. Traditional ”reactive” ad hoc troubleshooting can miss patterns that indicate network problems, so network forensics can be used to catch things that were originally missed.
As the SANS Institute notes, “Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communicating, which investigators can use to trace an action or conversation back to a physical device. The entire contents of e-mails, IM conversations, Web surfing activities and file transfers can be recovered and reconstructed to reveal the original transaction. More importantly, the protocol data that surrounded each conversation is often extremely valuable….”
Network forensics can be a powerful tool to unlock mysteries found within the network. Make sure you have a network forensics tool best suited for your organization’s particular needs.