Network Forensics analysis takes traditional protocol analysis to the next level, by extending the duration that the examiner can capture network traffic data, with the latest capture, storage and analysis technology.
A Network Forensics tool provides the ability to go back-in-time to review historical network traffic to investigate security attacks, and network or application performance issues.
Network forensic tools are commonly used for:
Optimizing network and application performance
Data Center Consolidation
Capture unexpected traffic patterns and isolate problems caused during deployment of virtualizations or consolidation of traffic from other data centers
Service assurance- guaranteeying the delivery of mission critical data through traffic profiling and reduceing root cause analysis of intermittent issues
Tuning intrusion prevention and detection solutions
Network Forensics methods for Ethernet, is performed by eavesdropping on bit streams with Network monitoring software or “sniffers”.
Network traffic is best captured by connecting a packet “sniffer” to a network “tap” or by monitoring a specific port of a given switch located at a central point of a network. Ideally, the device which performs the monitoring should not emit network traffic to the network being monitored.
The packet “sniffer” can, for example, be a machine running tcpdump or Wireshark (software), which stores the captured traffic to a file to be later processed. This file can also be used as evidence if any illicit traffic is captured.
The Internet can be a rich source of digital evidence such as web-browsing, email traffic, synchronous chat, and so on.
Digital Investigations, can capture the traces from browsing (type of search, search provider), can continuously check whether an IP address receives or transmits specific mail with attachments (data theft, or network backdoor access), and can monitor synchronous chat rooms for malicious or suspect behavior.
All of the above cases can be managed using special forensic tools, which can help either eliminate or at least reduce the phenomenon of such behavior.
Wireless Forensics is a discipline included within the Network Forensic field. Wireless Forensics refers to the tools and methodology required to acquire and analyze (wireless) network traffic that can be presented as valid digital data evidence in a court of law.
Besides capturing all data travelling over the network the Wireless Forensics process includes analyzing network events to uncover network anomalies, discover the source of a security attack, and investigate security breaches on computers and wireless networks. This information may further determine whether they have been any use of illegal or unauthorized activities.
The analysis of wireless network traffic follows the same general rules that apply to Computer Forensics: Identification, preservation and analysis of the evidence, in order to impartially report findings and conclusions..