Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Forensic Tools

Product Roll Call

Dig Deeper (on-site search queries)

Read On

• Stage 1: Network-capable initial analysis products for first responders, such as Guidance's EnCase Enterprise Edition and Technology Pathway's ProDiscover. These two products can acquire drive images remotely in a live environment, and their use eliminates the need for the Stage 2 tools.

• Stage 2: Primary analysis and drive-image acquisition. This stage usually entails obtaining the hard disk of a suspect machine and investigating it in a controlled (not live) environment. AccessData Forensic Toolkit, Encase Forensic Edition and the open-source Sleuth Kit fit this stage. Any one can be used as the primary investigative tool in environments that don't require a network-capable acquisition application. All these products can acquire a full sector-by-sector drive image of any hard disk under investigation; additional sleuthing functionality varies by application.

• Stage 3: Fine-grained keyword searches through disk or partition contents, e-mail-specific searches or Internet history analysis. Paraben's NetAnalysis, E-Mail Examiner and Net E-Mail Examiner, and dtSearch's dtSearch excel here. These tools operate on disk images created by any of the applications from Stages 1 or 2.

Vendors at a Glance

Click to Enlarge
  • 1