Summary of tools commonly used to support network forensic investigations

Key: C=Collection & filtering L=Logfile analysis S= Stream reassembly R=correlation and analysis of multiple raw data sources A= Application layer viewer W=Workflow or case management

Name TCPDump, Windump Ngrep Network Stumbler Kismet Argus Flow-tools Flow-extract, Flow Scripts Etherape Snort

Provider Open Source www.tcpdump.org Open source http://ngrep.sourceforge.net/ Open source http://www.netstumbler.com/ Open source http://www.kismetwireless.net Open Source http://www.qosient.com/argus/index.htm Open Source http://www.splintered.net/sw/flow-tools/ Open Source http://security.uchicago.edu/tools/net-forensics/ Open Source http://etherape.sourceforge.net/ Open Source www.snort.org

Platform Unix, Windows Unix Windows Unix Windows Unix Unix Unix Unix Unix

Features C C C C CL CL L C C

Observer Honeyd

Network Instruments http://www.networkinstruments.com/ Honey source http://www.citi.umich.edu/u/provos/honeyd/

Appliance Unix

C C

Ethereal Etherpeek SecureNet

Open Source www.Ethereal.com Wild Packets, Inc. www.wildpackets.com Intrusion Inc. http://www.intrusion.com

Windows Unix Windows Windows with collector appliance Unix

CLS CLS CS

FLAG Forensic and Log Analysis GUI ACID Shadow DeepNines and Sleuth9 Infinistream Dragon IDS NSM Incident Response neuSecure

Open Source http://www.dsd.gov.au/library/software/flag/

L

Analysis Console for Intrusion Databases http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html http://www.nswc.navy.mil/ISSEC/CID/index.html http://www.deepnines.com/sleuth9.html Network Associates http://www.networkassociates.com/us/promos/sniffer/infinistream.asp Enterasys http://www.enterasys.com/ Intellitactics http://www.intellitactics.com/ GuardedNet http://www.guarded.net/investigation.html

Unix Unix Unix Appliance Unix Windows Unix

L LS CSR CSR CLSR CLSRW CLSRW

NetDetector

Niksun http://www.niksun.com/

Appliance

CSRA

NetIntercept

Sandstorm Tech http://www.sandstorm.net/products/netintercept/

‘Bundled Software’ (dedicated Linux box) Windows

CSRA

NetWitness

Forensics Explorers http://www.forensicsexplorers.com/

CLSRA

Related Interests