Network Computingwww.networkcomputing.com

Network Forensic Tools

Posted by Marisa Mack
December 03, 2004

Tags: Forensic ToolKit, AccessData Corp., Email Examiner, Encase, Guidance Software, Paraben Corp, ProDiscover, Sleuth Kit, Tech-nology Pathways, chain of custody, dtSearch, dtSearch Corp, evidence, hash, incident investigation, intellectual property theft, le-gal team, network forensics, network penetration, Access and Physical Security, Cyberterrorism, Data Protection, Other, Security Policies and Management, Security and Privacy, Software, Software and Web Development, Threats and Attacks, information security

Channel: Other, Data Protection

• Stage 1: Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools.

• Stage 2: Primary analysis and drive-image acquisition. This stage usually entails obtaining the hard disk of a suspect machine and investigating it in a controlled (not live) environment. AccessData Forensic Toolkit, Encase Forensic Edition and the open-source Sleuth Kit fit this stage. Any one can be used as the primary investigative tool in environments that don't require a network-capable acquisition application. All these products can acquire a full sector-by-sector drive image of any hard disk under investigation; additional sleuthing functionality varies by application.

• Stage 3: Fine-grained keyword searches through disk or partition contents, e-mail-specific searches or Internet history analysis. Paraben's NetAnalysis, E-Mail Examiner and Net E-Mail Examiner, and dtSearch's dtSearch excel here. These tools operate on disk images created by any of the applications from Stages 1 or 2.

Vendors at a Glance Click to Enlarge

Related Reading

More data-protection Insights