NETWORK FORENSIC ANALYSIS TOOL KIT (NFAT) SYSTEM

The important forensic function that on NFAT system should perform are to:
Forensically capture complete & correct evidence. Keep up with never increasing network speed. Store captured e-evidence for long period of time for extended investigation. Keep up evidence secure to preserve the integrity of collected evidence.

Component of NFAT system.

Agent software modules installed an host or network component, used to monitor, retrieve or intercept data on network. Sever centralized computer or computer that hold the data collected from the network, usually the servers is a large database array. Examiner computer computer where the forensic security examiner does the analysis of data, this computer is usually root the same machine where the network data is stored.

Device use by NFAT to collect info.

Switch port analyser(SPAN). This feature at modem switches is also known as port mirroring. This future duplicates that into going into one or any port to the SPAN port for the IDS/NFAT tools to analyse. Test access port(TAP). This tool is used much like a cable spice. TAP have an input side and output side when the IDS/NFAT monitors software or monitor is attached. This type of tools does not degrade network performance because it is a passive data collection device. Host inline device(work like a router). A variant of TAP, a host inline device is camp. Have 2 network interface card to act as the input & output. In the design the host inline device acts essentially like a repeater but with the added benefit that records all data passing through it. Bugs the worst basic method at collecting info.