Barrier1 as a Network Forensics Tool

Fraudulent behavior has entered the Internet and whether this behavior stems from external sources or internal sources, the rules of “Burden of Proof” still hold true. Therefore, organizations will have to provide legal proof. Network Forensics Analysis (NFA) is such a tool.

NFA requires reconstructive traffic analysis. In order to do that, NFAnetwork forensics requires real-time monitoring and capturing. In any case the speed and amount of data requires automation.  There are basically two methods of network forensics; “catch-it-as- you- can” and “stop-look-listen”. The first captures and stores all packets that transient the network. This will require a very large storage capability and a speedy search mechanism.  The “stop-look-listen” method analyzes each packet and only stores key components.  Thus, the storage and speedy search mechanisms do not have to be as large or fast. 

Network forensics tools must perform three tasks. First, it must capture network traffic, second, it must analyze the traffic according to the user’s needs, and third it must use some form of discover tool to find useful and interesting components of the save traffic.

Traffic analysis will require the ability to detect and capture from normal traffic and including encrypted traffic all protocols.  Then correlate this traffic to all ports and protocols. Examples include the ability to automatically divert from a standard port to a non-standard port or if an attacker senses a traffic monitor it might take extra precautions and begin encrypting.  Next, you must be able capture payload information that might be found in other packets. Last, one must be able to correlate the individual connections but the correlation between each other. This gives one the ability to explore and understand data that was unintelligible at the packet-sniffer level.   Network forensics must capture this behavior and maintain its integrity. 

Network forensics can generate a tremendously large amount of data. The whole point of network forensics is to reduce a large amount of data down to useful information. Search must accommodate specific set and anomalous data sets.  Thus, search ability and visibility are key considerations regardless of traffic.