forensic network analysis tools strengths, weaknesses, and ... · forensic network analysis tools:...
TRANSCRIPT
![Page 1: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/1.jpg)
DIGITAL FORENSIC RESEARCH CONFERENCE
Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs
By
Eoghan Casey
Presented At
The Digital Forensic Research Conference
DFRWS 2003 USA Cleveland, OH (Aug 6th - 8th)
DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized
the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners
together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working
groups, annual conferences and challenges to help drive the direction of research and development.
http:/dfrws.org
![Page 2: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/2.jpg)
Forensic Network Analysis Tools
Strengths, Weaknesses, and Future Needs
Eoghan Casey| Author, Digital Evidence and Computer Crime| Editor, Handbook of Computer Crime Investigation| Technical Director, Knowledge Solutions| [email protected]
![Page 3: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/3.jpg)
The Basics
| Hardware and configuration| Read-only| Security| Integrity
z Existing tools do not calculate MD5� Do it yourself after collection
| Documenting lossesz Existing tools to not log all losses
| Document system status & performance| Logging examiner actions
z Not currently => rely examiner’s notes
![Page 4: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/4.jpg)
Hardware
| CatOS Switched Port Analyzer (SPAN)z Only copies valid Ethernet packetsz Not all error information duplicatedz Low priority of SPAN may increase losses
| Physical tapz Copy signals without removing layersz May split Tx and Rx (reassembly required)
| Platformz Testing but no published dataz < 200 Mb/sec => Linuxz > 200 Mb/sec => FreeBSDz Kernel customization
![Page 5: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/5.jpg)
HW (Vendor v Homemade)
| Commercialz More costly but uniform expertisez Vendor can testify about HW & OS configz Vendor responsible for problems
| Homemadez Less expensive but variable expertisez You can testify about HW & OS configz You are responsible for problems
![Page 6: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/6.jpg)
Read Only
| No network responsez Including ARP replies
| No network queriesz Use internal DNS resolution
| No downloads from Internetz Don’t insert content from the Web
when reconstructing Web pages
![Page 7: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/7.jpg)
Security
| Secure OS configurationz Patchesz Do not overuse root/Administrator account
| Secure remote accessz SSHz SSL
| Secure programmingz Prevent buffer overflowsz Prevent crashes (and resulting data loss)
![Page 8: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/8.jpg)
Data Loss
NIC:% /sbin/ifconfigeth0 Link encap:Ethernet HWaddr 00:B0:D0:F3:CB:B5inet addr:128.36.232.10 Bcast:128.36.232.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:19877480 errors:0 dropped:0 overruns:128 frame:0TX packets:7327676 errors:0 dropped:0 overruns:0 carrier:1collisions:442837 txqueuelen:100 Interrupt:23 Base address:0xec80
Kernel:# tcpdump -X host 192.168.12.5tcpdump: listening on xl0.....[data displayed on screen]…^C29451 packets received by filter4227 packets dropped by kernel
| Losses at the switchz show inter
| Bug or misrepresentation in applicationFigure from Eoghan Casey’s “Error, Uncertainty, and Loss” article in International Journal of Digital Evidence (Vol. 1, Iss. 2)
![Page 9: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/9.jpg)
Overview of Tools
| Tcpdump (www.tcpdump.org)z de facto standard file format (.dmp)
| Ethereal (www.ethereal.com)| Review (www.net.ohio-state.edu/software/)| IRIS (www.eye.com)| InfiniStream (www.networkassociates.com)| NetIntercept (www.sandstorm.net)| NetDetector (www.niksun.com)| NFR Security (www.nfrsecurity.com)| NetWitness (www.forensicexplorers.com)| SilentRunner (www.silentrunner.com)| DCS1000 w/ CoolMiner/Packeteer (FBI)
![Page 10: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/10.jpg)
Overview of Tool Features| Tcpdump (multiple platforms, free)
z Limited examination capabilities| Ethereal (multiple platforms, free)
z Basic examination capabilities| IRIS (Windows, $)
z Basic examination capabilities| NetWitness (Windows, IIS, MSSQL, $)
z Basic examination capabilitiesz Security concerns relating to ISS and MSSQL
| InfiniStream (Linux collector, Win console, $)z Tcpdump import but not export (.cap export)z Good examination capabilities (Sniffer-based)
![Page 11: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/11.jpg)
Overview of Tool Features
| Review (Unix, free)z Good examination capabilities
| NetIntercept (FreeBSD, $)z Designed with evidentiary issues in mindz Excellent examination capabilities
• Feature rich but still user-friendly• Decrypt SSH and SSL if key are available
z Basic analysis capabilities| NetDetector (FreeBSD, $)
z Excellent examination capabilitiesz Graphic analysis features (Xpert)z Integrated IDS capabilities (Snort)
![Page 12: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/12.jpg)
Overview of Tool Features
| NFR Security ($)z Custom analysis using N-codez OpenBSD collector, Windows admin console,
Solaris/Linux mgmt server & Oracle database| SilentRunner (Windows, $)
z Powerful visual & analysis capabilities| DCS1000 (Windows, available to LE)
z Unique filtering with law enforcement in mind (e.g., RADIUS, e-mail pen register)
z Not clear how robust (complexity of RADIUS and capturing content in e-mail header)
![Page 13: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/13.jpg)
Examples
Key points| Collection: capture all content versus filtering| Documentation: poor across the board| Examination: recover, classify, decode, reduce, search| Analysis: individualize, evaluate source, advanced recovery, reconstruct, visualize, present
![Page 14: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/14.jpg)
Collection
| Tcpdumpz 68 byte default
| Etherealz 65535 bytes default snap length
| Othersz 68 < snap length < 65535 bytes
![Page 15: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/15.jpg)
NetDetector: Audit Log
![Page 16: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/16.jpg)
External MD5 Calculations
![Page 17: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/17.jpg)
Filtering During Collection
| BPF/Ethereal filtering syntaxz IP address, port, etc.
| MAC address| Custom NFR Security filters (using N-code)| DCS1000
z RADIUSz DHCP
| Filtering on protocol is riskyz Pen register for e-mail (DCS1000)z If necessary, be very carefulz Ideally use a specialized tool for this purpose
![Page 18: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/18.jpg)
Examination: Protocol Decode| Tcpdump has limited decode capabilities| Ethereal
z More decodes but assumes default behaviorz “Decode As” feature
| InfiniStream/Snifferz Several decodes including some VoIP
| NetDetectorz Understands protocols including some VoIP
| NetInterceptz Understands protocols including some VoIPz More powerful stream reconstructionz Flags anomalies (like file sig mismatch)z Flags missing SEQ #’s in TCP session
![Page 19: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/19.jpg)
Figures from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
Review: X Session DecodeServer
| Review Telnet and X Replay
Client
![Page 20: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/20.jpg)
Review: X Session Replay
| Step-by-step session replay| Pauses before redrawing screen
Figure from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
![Page 21: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/21.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Examination: Data Reduction| GUI versus command syntaxz Review: session summary & browsingz NetIntercept: Forensics tab
![Page 22: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/22.jpg)
Figures from Karen Frederick’s “NFS Security” chapter in Handbook of Computer Crime Investigation
Examination: Data Reduction
| SilentRunner: 3-D Visualization| NFR Security: Query interface
![Page 23: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/23.jpg)
Examination: Visualization
| Traffic charts| Top Talkers| Top Pairs
![Page 24: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/24.jpg)
Examination: Visualization
| SilentRunnerz 3-D display of traffic helps focus on
interesting activities| General purpose visualization toolsz Clustering and other techniques for
visually representing data to help examiners identify useful items in large datasets
![Page 25: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/25.jpg)
Search and Recovery| Ethereal
z Miss keyword split between two packetsz Export Web page & view in browser (bad)z File extraction requires expertise & tools
| NetInterceptz Performs search on reconstructed dataz Sandbox for viewing Web pagesz Does not execute code in Web pagesz Automated file extraction
| NetDetectorz GUI & regular expression on command linez Sandbox for viewing Web pages
| NFR Security database query customization| SilentRunner N-gram Analysis
![Page 26: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/26.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Ethereal: Search
![Page 27: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/27.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
NetIntercept: Search
![Page 28: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/28.jpg)
NetDetector: Search (GUI)
![Page 29: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/29.jpg)
NetIntercept: Image Extraction
![Page 30: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/30.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Ethereal: Web Page
![Page 31: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/31.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
NetIntercept: Web Page
![Page 32: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/32.jpg)
NetIntercept: Search/RecoverFigure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
![Page 33: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/33.jpg)
Analysis
| Temporal viewsz Timelinesz Histograms/charts
| Relational analysisz Thicker lines for higher trafficz N-gram analysis
| SilentRunnerz 3-D visualization can be useful for analysisz Develop baseline of network activities for
comparisonz Visually represents anomalies and other
noteworthy events
![Page 34: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/34.jpg)
Figure from Eoghan Casey’s “Digital Evidence and Computer Crime”, 2nd edition
Analysis: NetIntercept
![Page 35: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/35.jpg)
Analysis: NetDetector (Snort)
![Page 36: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/36.jpg)
NetDetector (Snort cont.)
![Page 37: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/37.jpg)
Visualization & Data mining
| Visualization techniquesz Clustering and other techniques for
visually representing data to help examiners identify noteworthy patterns and items in large datasets
| Data miningz Finding patterns, associations, linksz Recognizing patterns of behavior
![Page 38: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/38.jpg)
Reporting
| Bookmarks| Default reportsz Inventory hosts, accounts, nicknames
files, etc.z Top talkersz Alerts
Figure from Steve Romig’s “Incident Response Tools” chapter in Handbook of Computer Crime Investigation
![Page 39: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/39.jpg)
Report ExamplesAlerts
![Page 40: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/40.jpg)
Comparison Summary
| NetIntercept & NetDetectorz Best starting point for examinationz Useful for most common analysis needs
| NFR Securityz Advanced evidence processing using N-
Code, GUI Queries & Perl Query Add-on| SilentRunner
z 3-D visualization useful in some cases| DCS1000
z Good effort to filter during collection (e.g., pen register, RADIUS, DHCP)
![Page 41: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/41.jpg)
Summary of Future Needs| Platform standards to minimize losses
z Published performance testingz Consider security and stability
| Read-onlyz No network responses or queries during collection
or examination| Integrity
z Not necessarily during collection (after)| Validate security and data interpretation of tools| Documentation
z System status & performance (proper operation)z Record primary sources of lossesz Audit trail of examiner actions
![Page 42: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/42.jpg)
Future Needs (cont.)| Support tcpdump format import and export
z Collect using one tool, examine w/ other| Filtering capabilities during collection
z DHCP & RADIUSz May be safer to use specialize tool for protocol
filtering & pen register needs| Filtering during examination
z Exclude known files (e.g., logo, safe content)z Flag suspicious files (e.g., encrypted files or
intellectual property/hacker tools using MD5)z Drill down on top host/protocols (e.g., ntop.org)z More visualization of data to help filtering
![Page 43: Forensic Network Analysis Tools Strengths, Weaknesses, and ... · Forensic Network Analysis Tools: Strengths, Weaknesses, and Future Needs By Eoghan Casey Presented At The Digital](https://reader036.vdocuments.net/reader036/viewer/2022062317/5ead9cd7a4ca3d5a545db098/html5/thumbnails/43.jpg)
Future Needs (cont.)| Protocol identification and decode
z Based on protocol v. variables charsz Flag protocol violations, missing SEQ #sz More decodes and step-by-step replay
| Text search capabilitiesz Keywords split between multiple packetsz Grep syntax
| More file extraction capabilitiesz KaZaA fragments from multiple sources
| More analysis capabilitiesz Behavior pattern recognitionz System profile violations