“Bloodsport” Written by Eoghan Mahony Directed By Roxann ...
Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network...
Transcript of Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network...
![Page 1: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/1.jpg)
Forensic Network Analysis Tools
Strengths, Weaknesses, and Future Needs
Eoghan CaseyAuthor, Digital Evidence and Computer CrimeEditor, Handbook of Computer Crime InvestigationTechnical Director, Knowledge [email protected]
![Page 2: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/2.jpg)
The Basics
Hardware and configurationRead-onlySecurityIntegrity
Existing tools do not calculate MD5⇒ Do it yourself after collection
Documenting lossesExisting tools to not log all losses
Document system status & performanceLogging examiner actions
Not currently => rely examiner’s notes
![Page 3: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/3.jpg)
Hardware
CatOS Switched Port Analyzer (SPAN)Only copies valid Ethernet packetsNot all error information duplicatedLow priority of SPAN may increase losses
Physical tapCopy signals without removing layersMay split Tx and Rx (reassembly required)
PlatformTesting but no published data< 200 Mb/sec => Linux> 200 Mb/sec => FreeBSDKernel customization
![Page 4: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/4.jpg)
HW (Vendor v Homemade)
CommercialMore costly but uniform expertiseVendor can testify about HW & OS configVendor responsible for problems
HomemadeLess expensive but variable expertiseYou can testify about HW & OS configYou are responsible for problems
![Page 5: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/5.jpg)
Read Only
No network responseIncluding ARP replies
No network queriesUse internal DNS resolution
No downloads from InternetDon’t insert content from the Web when reconstructing Web pages
![Page 6: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/6.jpg)
Security
Secure OS configurationPatchesDo not overuse root/Administrator account
Secure remote accessSSHSSL
Secure programmingPrevent buffer overflowsPrevent crashes (and resulting data loss)
![Page 7: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/7.jpg)
Data Loss
NIC:% /sbin/ifconfigeth0 Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5inet addr:128.36.232.10 Bcast:128.36.232.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1collisions:442837 txqueuelen:100 Interrupt:23 Base address:0xec80
Kernel:# tcpdump -X host 192.168.12.5tcpdump: listening on xl0.....[data displayed on screen]…^C29451 packets received by filter4227 packets dropped by kernel
Losses at the switchshow inter
Bug or misrepresentation in applicationFigure from Eoghan Casey’s “Error, Uncertainty, and Loss” article in International Journal of Digital Evidence (Vol. 1, Iss. 2)
![Page 8: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/8.jpg)
Overview of Tools
Tcpdump (www.tcpdump.org)de facto standard file format (.dmp)
Ethereal (www.ethereal.com)Review (www.net.ohio-state.edu/software/)IRIS (www.eye.com)InfiniStream (www.networkassociates.com)NetIntercept (www.sandstorm.net)NetDetector (www.niksun.com)NFR Security (www.nfrsecurity.com)NetWitness (www.forensicexplorers.com)SilentRunner (www.silentrunner.com)DCS1000 w/ CoolMiner/Packeteer (FBI)
![Page 9: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/9.jpg)
Overview of Tool FeaturesTcpdump (multiple platforms, free)
Limited examination capabilitiesEthereal (multiple platforms, free)
Basic examination capabilitiesIRIS (Windows, $)
Basic examination capabilitiesNetWitness (Windows, IIS, MSSQL, $)
Basic examination capabilitiesSecurity concerns relating to ISS and MSSQL
InfiniStream (Linux collector, Win console, $)Tcpdump import but not export (.cap export)Good examination capabilities (Sniffer-based)
![Page 10: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/10.jpg)
Overview of Tool Features
Review (Unix, free)Good examination capabilities
NetIntercept (FreeBSD, $)Designed with evidentiary issues in mindExcellent examination capabilities
• Feature rich but still user-friendly• Decrypt SSH and SSL if key are available
Basic analysis capabilitiesNetDetector (FreeBSD, $)
Excellent examination capabilitiesGraphic analysis features (Xpert)Integrated IDS capabilities (Snort)
![Page 11: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/11.jpg)
Overview of Tool Features
NFR Security ($)Custom analysis using N-codeOpenBSD collector, Windows admin console, Solaris/Linux mgmt server & Oracle database
SilentRunner (Windows, $)Powerful visual & analysis capabilities
DCS1000 (Windows, available to LE)Unique filtering with law enforcement in mind (e.g., RADIUS, e-mail pen register)Not clear how robust (complexity of RADIUS and capturing content in e-mail header)
![Page 12: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/12.jpg)
Examples
Key pointsCollection: capture all content versus filteringDocumentation: poor across the boardExamination: recover, classify, decode, reduce, searchAnalysis: individualize, evaluate source, advanced
recovery, reconstruct, visualize, present
![Page 13: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/13.jpg)
Collection
Tcpdump68 byte default
Ethereal65535 bytes default snap length
Others68 < snap length < 65535 bytes
![Page 14: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/14.jpg)
NetDetector: Audit Log
![Page 15: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/15.jpg)
External MD5 Calculations
![Page 16: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/16.jpg)
Filtering During Collection
BPF/Ethereal filtering syntaxIP address, port, etc.
MAC addressCustom NFR Security filters (using N-code)DCS1000
RADIUSDHCP
Filtering on protocol is riskyPen register for e-mail (DCS1000)If necessary, be very carefulIdeally use a specialized tool for this purpose
![Page 17: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/17.jpg)
Examination: Protocol DecodeTcpdump has limited decode capabilitiesEthereal
More decodes but assumes default behavior“Decode As” feature
InfiniStream/SnifferSeveral decodes including some VoIP
NetDetectorUnderstands protocols including some VoIP
NetInterceptUnderstands protocols including some VoIPMore powerful stream reconstructionFlags anomalies (like file sig mismatch)Flags missing SEQ #’s in TCP session
![Page 18: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/18.jpg)
Figures from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
Review: X Session DecodeServer
Review Telnet and X Replay
Client
![Page 19: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/19.jpg)
Review: X Session Replay
Step-by-step session replayPauses before redrawing screen
Figure from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
![Page 20: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/20.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Examination: Data ReductionGUI versus command syntax
Review: session summary & browsingNetIntercept: Forensics tab
![Page 21: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/21.jpg)
Figures from Karen Frederick’s “NFS Security” chapter in Handbook of Computer Crime Investigation
Examination: Data Reduction
SilentRunner: 3-D VisualizationNFR Security: Query interface
![Page 22: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/22.jpg)
Examination: Visualization
Traffic chartsTop TalkersTop Pairs
![Page 23: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/23.jpg)
Examination: Visualization
SilentRunner3-D display of traffic helps focus on interesting activities
General purpose visualization toolsClustering and other techniques for visually representing data to help examiners identify useful items in large datasets
![Page 24: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/24.jpg)
Search and RecoveryEthereal
Miss keyword split between two packetsExport Web page & view in browser (bad)File extraction requires expertise & tools
NetInterceptPerforms search on reconstructed dataSandbox for viewing Web pagesDoes not execute code in Web pagesAutomated file extraction
NetDetectorGUI & regular expression on command lineSandbox for viewing Web pages
NFR Security database query customizationSilentRunner N-gram Analysis
![Page 25: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/25.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Ethereal: Search
![Page 26: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/26.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
NetIntercept: Search
![Page 27: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/27.jpg)
NetDetector: Search (GUI)
![Page 28: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/28.jpg)
NetIntercept: Image Extraction
![Page 29: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/29.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Ethereal: Web Page
![Page 30: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/30.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
NetIntercept: Web Page
![Page 31: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/31.jpg)
NetIntercept: Search/RecoverFigure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
![Page 32: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/32.jpg)
Analysis
Temporal viewsTimelinesHistograms/charts
Relational analysisThicker lines for higher trafficN-gram analysis
SilentRunner3-D visualization can be useful for analysisDevelop baseline of network activities for comparisonVisually represents anomalies and other noteworthy events
![Page 33: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/33.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Analysis: NetIntercept
![Page 34: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/34.jpg)
Analysis: NetDetector (Snort)
![Page 35: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/35.jpg)
NetDetector (Snort cont.)
![Page 36: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/36.jpg)
Visualization & Data mining
Visualization techniquesClustering and other techniques for visually representing data to help examiners identify noteworthy patterns and items in large datasets
Data miningFinding patterns, associations, linksRecognizing patterns of behavior
![Page 37: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/37.jpg)
Reporting
BookmarksDefault reports
Inventory hosts, accounts, nicknames files, etc.Top talkersAlerts
Figure from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
![Page 38: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/38.jpg)
Report ExamplesAlerts
![Page 39: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/39.jpg)
Comparison Summary
NetIntercept & NetDetectorBest starting point for examinationUseful for most common analysis needs
NFR SecurityAdvanced evidence processing using N-Code, GUI Queries & Perl Query Add-on
SilentRunner3-D visualization useful in some cases
DCS1000Good effort to filter during collection (e.g., pen register, RADIUS, DHCP)
![Page 40: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/40.jpg)
Summary of Future NeedsPlatform standards to minimize losses
Published performance testingConsider security and stability
Read-onlyNo network responses or queries during collection or examination
IntegrityNot necessarily during collection (after)
Validate security and data interpretation of toolsDocumentation
System status & performance (proper operation)Record primary sources of lossesAudit trail of examiner actions
![Page 41: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/41.jpg)
Future Needs (cont.)Support tcpdump format import and export
Collect using one tool, examine w/ otherFiltering capabilities during collection
DHCP & RADIUSMay be safer to use specialize tool for protocol filtering & pen register needs
Filtering during examinationExclude known files (e.g., logo, safe content)Flag suspicious files (e.g., encrypted files or intellectual property/hacker tools using MD5)Drill down on top host/protocols (e.g., ntop.org)More visualization of data to help filtering
![Page 42: Forensic Network Analysis Toolsold.dfrws.org/2003/presentations/Brief-Casey.pdf · Forensic Network Analysis Tools Strengths, Weaknesses, and Future Needs Eoghan Casey |Author, Digital](https://reader033.fdocuments.us/reader033/viewer/2022050611/5fb257a0ead4345ba16d1cfe/html5/thumbnails/42.jpg)
Future Needs (cont.)Protocol identification and decode
Based on protocol v. variables charsFlag protocol violations, missing SEQ #sMore decodes and step-by-step replay
Text search capabilitiesKeywords split between multiple packetsGrep syntax
More file extraction capabilitiesKaZaA fragments from multiple sources
More analysis capabilitiesBehavior pattern recognitionSystem profile violations