In a recent white paper, “Network Forensics 101: Finding the Needle in the Haystack,” WildPackets lays out the basics of network forensics. Since network forensics is increasingly relevant and essential to IT engineers, we wanted to give you a high-level overview of the topic, explaining why it matters and how you can use it in your organization.
What is network forensics?
Essentially, network forensics is the method of gathering and examining the activity that is taking place on a network. It is also sometimes referred to as packet mining, packet forensics, or digital forensics. Combining recordings of network traffic with powerful data search and analysis tools, network forensics enables IT organizations to find the root causes of network performance and application delivery issues with accuracy and precision.
Why do we need it?
Along with the superior performance of faster network speeds and the increased volume of data traversing networks, come many challenges to maintaining secure and operational networks. At the same time, network analysis tools have been following a trend toward simplicity, where instead of analyzing all network traffic, they settle for sampling or reporting high-level flow statistics, such as NetFlow and sFlow. While flow-based analysis systems certainly have their place in an IT organization’s toolset for reporting network utilization and other aggregate measures of network activity, the data they provide is insufficiently detailed and imprecise to enable IT engineers to answer the questions being investigated.
Forensics can also play an important role in protecting networks from subtle and malicious security threats. Network forensics can enable an organization to adequately investigate and stop data breaches that threaten to cost organizations money, competitive advantage, or both. Collecting a complete record of network activity can be invaluable for addressing technical, operational and organizational issues.
When should it be used?
There are many situations when network forensics can be applied to solve performance, security and policy problems on today’s high-speed networks. These include:
- Finding proof of a security attack
- Troubleshooting intermittent performance issues
- Monitoring user activity for compliance with IT and HR policies
- Identifying the source of data leaks
- Monitoring business transactions
- Troubleshooting VoIP and video over IP
What do you need for a network forensics solution?
There are three essential capabilities required to properly facilitate network forensics: capturing and recording data, discovering data, and analyzing data.
- Data Capture and Recording: This is the ability to capture and store multiple terabytes of data from high-throughput networks, including 10G and even 40G, without dropping or missing any packets. Every network forensics solution has its limitations, such as sustainable throughput, packets per second, and search functions, but these can be identified through practical lab tests, and the results should be repeatable and documented.
- Data Discovery: Once data are recorded on the storage media, the solution should provide a means of filtering particular items of interest, for example, by IP address, application, context, etc. IT engineers rely on discovery tools for sifting through terabytes of data to find specific network conversations or individual packets in a timely fashion.
- Data Analysis: To further accelerate discovery and analysis, IT engineers benefit from a forensics solution’s built-in assistance for examining the patterns and anomalies found during the discovery process. Automated analysis, including Expert analysis that explains the context of network events, helps IT engineers quickly identity anomalous or otherwise significant network events.
If this blog has left you wanting to know more about network forensics, take a look at our white paper that provides a more in-depth look.