The growth of network complexity - accompanied by an increase in the number of crimes - is forcing both enterprises and law enforcement to undertake highly specialised investigations.
Although effective in the real world, forensic analysis - the methodical investigation of a crime scene - presents difficulties in the virtual world. What is problematic for an investigator deciphering a PC can become exponentially worse when trying to make sense of fragile digital data arranged in obscure and complex ways.
The problem is that forensic analysis is rarely conclusive by itself, but a wide variety of network analysis, intrusion management and specialty products are making it easier and more practical to draw useful conclusions.
The biggest challenge is the sheer amount of data generated by the networks, often comprising gigabytes a day. The reality is that it`s nearly impossible to store and to search, especially if an incident is discovered late - most of the relevant network traffic data will be long gone.
The second challenge lies in the inherent anonymity of Internet protocols, each layer uses some form addressing, such as MAC addresses, IP addresses, e-mail addresses and so forth, which can all be spoofed.
And yet the Internet is critical, we have to connect our networks to the rest of the world - to link customers, suppliers, partners and their own employees - all at a price...Network predators regularly steal corporate assets and intellectual property, cause service breaks and system failures and frighten customers away.
Network forensics and analysis tools (NFATs) are a new class of forensic solutions that enable companies to monitor their networks for anomalous traffic, perform forensic analysis and get a clear picture of their environment.
In fact, NFATs combine analysis with the ability to view application information, such as bitmaps, mail and documents. They usually have a built-in sniffing capability and support the analysis of data collected by other systems.
It is, however, important to remember that a NFAT is not an intrusion detection system (IDS) - which is usually deployed at entrance points on the network perimeter. An NFAT is not signature - or rule-based as it passively monitors and records traffic to visually depict what resource is being accessed, by whom, how and when.
This in turn provides a way to continuously monitor changes in network communication patterns, enabling effective and intelligent risk management.
Investigators are now able to utilise NFATs to search through application data, view it, and after finding something suspicious drill down to the deeper network layer, examines session and packet header information that could possibly point to specific workstations and employees.
Looking at the future, the unfortunate truth is that the number of attacks will only increase, which means network forensics will become even more part of our lives.
The good news is that NFAT and other software analysis tools have the ability to strengthen our securities, check compliance against policies and punish those who attempt to disrupt our IT infrastructure.
Share