Techniques in digital forensics for the proper collection, analysis, identification and presentation of credible digital evidence have long been hampered by the daunting volume of information and the many forms of data. In addition, while digital evidence can reside in many places, often the first thoughts that come to mind are mostly static locations such as PC hard drives, servers, tape backups, etc.
In today’s world, it is critical for any digital forensics effort to establish the correlation between the digital document that indicates wrong-doing and the electronic evidence that demonstrates the intent of the user’s actions. To address this requirement, investigators, IT security and law enforcement professionals have turned to a network forensics approach that focuses on data in motion, flowing through the network.
The strategy is simple; capture and analyze the functional requests and content flowing through the network in order to determine the Who, What, Where, When and How of a given situation. At first glance, the solution also seems simple: examine logs, do a tcpdump and/or use a network sniffer such as Wireshark (formerly known as Ethereal) to capture packets, etc. Regrettably, this course of action is not very scalable or efficient since the analysis, content recreation, and vast storage requirements often make this method simply impracticable.
Chronicle Solutions has created a network forensics content recorder that is able to easily and intelligently capture, replay and analyze network content in original format. While this is an extremely easy-to-use and easy-to-learn solution, it is also powerful cyber-forensic tool that assists investigators in their research efforts to efficiently find and deliver credible evidence.
Whether the investigation calls for the mobility and quick deployment provided by Chronicle’s netReplay® 2500 PORTABLE or the permanent, proactive, longer term benefits found in netReplay® rack-mounted recorders, investigative professionals will be armed with the most effective digital forensic tool available.
Because of netReplay’s out-of-the-box capabilities, it can begin to immediately collect data - just plug it in. netReplay® quickly and efficiently captures all data necessary for formal record retention and digital evidence collection. Equally valuable, netReplay® helps speed investigators quickly to the "document decision-ing" phase of their investigation.
netReplay® has been described as a "one of a kind, network content DVR (Digital Video Recorder) that eliminates the digital equivalent of commercials." netReplay’s intelligent deep-packet inspection and content capture effectively cuts out the recording of duplicate data and network content "noise", thereby saving considerable investigative time and money.
While netReplay® has the ability to reassemble data that has already been collected in full packet capture sessions such as Wireshark (Ethereal) or tcpdump, IT security and investigative staff can quickly move from a reactive "capture everything" mode to a much more effective proactive "collect, monitor, research and analyze" approach by using netReplay® from the onset (on live network connections).
netReplay® will increase credibility of results by replaying exactly what, when, and how content was seen and handled by the user, thereby demonstrating both proof of the user’s content and related actions. In addition, Chronicle’s Forensic Information Fingerprinting Engine (FIFE™) provides evidence of user activity that is both forensically accurate and credible.
netReplay® will increase the effectiveness of a digital forensics effort by providing a high level of precision on the information it is collecting and analyzing as well as correlating all events that lead to any suspected misdeed. This is accomplished while also complying with any legal requirements, such as privacy and employee rights and statutory limitations.
netReplay® is an easy-to-learn and easy-to-use digital forensic solution that provides immediate benefits. netReplay® will increase the efficiency of a network forensics team by allowing more investigators to be trained to use the tool.
netReplay® will greatly improve productivity by reducing the time and complexity of data and event log analysis. Essentially, with netReplay®, investigators now have the means to find the proverbial "needle in a haystack" in hours versus weeks or even months.