Understanding corporate website traffic helps to detect potential threats. Consider that your CIO has asked you to research network forensic analysis tools (NFAT).
- Describe the purpose of NFATs as you understand it, and how these tools can assist with an investigation.
- Compare and contrast your favorite NFATs and make a recommendation as to which tool you think would be the best.
- Make sure to justify your answers with facts and provide links to useful resources that would help solidify your answers.
Post from Alice that you have to reply
Network forensics is a process of collecting and analyzing raw network data and tracking network traffic to ascertain how an attack was carried out or how an event occurred on a network. Knowing a networks typical traffic patterns is important in spotting variations in network traffic.
Network Forensic Analysis Tools (NFATs) enable network investigators and administrators to monitor networks and collect data on unusual or malicious activity. These solutions work in tandem with network systems and network devices like as firewalls and intrusion detection systems (IDS) to enable the preservation of long-term records of network traffic. NFATs enable the rapid analysis of patterns detected by network security devices.
The functions of NFATs are:
- Network traffic capture and analysis
- Evaluation of network performance
- Detection of anomalies
- Determination of network protocols in use
- Aggregation of data
- Investigations and incident response
Tcpdump and wireshark/tshark are popular protocol analyzers. These tools are used to inspect recorded traffic. They can be either packet-centric or session-centric.
Xplico and NetworkMinerare Network Forensic Analysis (NFAT) tools. These tools are data-centric which analyze the traffic content.
NetworkMinercan be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports.This toolhas the ability to do OS fingerprinting, can sort by IP address, MAC address, hostname, etc. It extracts all files and images from packet capture and stores them locally. Hence, NetworkMiner is a great tool for automatic extraction of files from a packet capture. It’s also useful at extracting messages such as emails. Manual packet analysis, on the other hand, is where NetworkMiner falls short and Wireshark excels.
Wiresharkis a very good tool to analyze packets between your network and a specified network that you’re monitoring. It’s especially useful if the user knows how to identify network protocols such as TCP, DNS, SFTP and set filters based on their port numbers.Most network packets are TCP, UDP, or ICMP. Given the huge volume of traffic that passes a typical business network, Wireshark’s tools can help you filter this traffic. Filters are typically used to capture traffic forms of interest, while focusing in on the traffic the user may wish to investigate.
Computer forensics: Network forensics analysis and examination steps [updated 2019]. (2019, July 6). Infosec Resources. Retrieved January 17, 2022, fromhttps://resources.