Network Forensics
From networkminer
NetworkMiner is a Network Forensinc Analysis Tool (NFAT), which means that it is designed in order to perform network forensics.
The forensic tasks that can be performed with NetworkMiner are:
- See which network services that are being used at the hosts on the network. This is useful in order to detect for example backdoors or illicit servers (such as an FTP server running on a printer).
- See which outgoing connections that are being made from the hosts on the network. Most servers, printers and network equipment are for example normally not expected to intiate outgoing network connections.
- Fingerprint which operating systems (OS) computers on the network are running. Can be useful in order to gain extra information about a an attacker or rogue host.
- Extract and reassemble files sent across the network. This function is valuable in order to see if confidential data is being sent out from the network or to see if malicious hacker tools are being downloaded to a potentially compromised host.
- Display reassembled images directly in the applicatiĆ³n. This is good in order to for example quickly identify child pornography images being sent in or out from the network.
- Extract cleartext credentials (usernames and passwords) being used on the network. This feature is useful for example when monitoring the network traffic of a compromised host in order to gain more knowledge of the attacker.
- Search and alert when user-defined keywords (or spook words) are being sent across a network. This can be useful in order to monitor for keywords such as "confidential" or "classified" in order to ensure that documents with these keywords are not being sent out from the network. Sometimes it's even more useful to look for more specific keywords such as for example "sni256".
