Although there are multiple ways to view network traffic and perform real time monitoring, it often proves to be impractical due to human and hardware resource constraints. Overall, it is more practical to archive traffic/content and then analyze as needed.
This process of data collection and packet level inspection provides a starting point for analysis. However, this method alone often takes a considerable amount of time and requires highly-skilled technical staff to sort, reassemble, inspect, and analyze volumes of data - significantly impacting delivery time and resources. To accomplish this capture task, there are several software programs available such as Winpcap and tcpdump.
Winpcap is a Windows Application Programming Interface (API) for packet capturing. There also is a version of this API available for Unix (e.g. Libpcap). Winpcap may be used by a program to capture packets traveling over a network. More specifically, it allows applications to capture and transmit network packets bypassing the protocol stack. Winpcap is often used as the packet capture and filtering engine of many open source and commercial network tools including protocol analyzers, network monitors, Intrusion Detection Systems (IDS), and packet sniffers.
Similarly, tcpdump allows the user to collect and view TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Although tcpdump can be used to debug applications that leverage the network for communications, its most common use is for network and content packet capture for analysis and investigations.
Tcpdump is useful for when the item that is being researched or investigated is known to exist on the network. Regrettably, it has limited functionality, such as its inability to address many disk management situations and, if left unattended, could crash the system it resides on.
The bottom line is that packet capture solutions like winpcap and tcpdump have limitations and are, at best, a basic first step. Clearly a way to effectively capture, index, and replay suspect content is critical to both monitoring and investigative effort.
Chronicle Solutions has created a network forensics solution that is able to easily and intelligently capture, replay and analyze packet capture sessions in native content format. While this is an extremely easy-to-use and easy-to-learn solution, it is also a powerful tool that helps investigators efficiently research, discover and deliver credible evidence.
Whether the investigation calls for the mobile deployment provided by Chronicle’s netReplay® 2500 PORTABLE or the permanent, proactive, longer term benefits found in netReplay® rack-mounted recorders, investigative professionals will be armed with the most effective digital forensic tool available.
While netReplay® has the ability to reassemble data that has already been collected in full packet capture sessions such as Wireshark (Ethereal) or tcpdump, IT security and investigative staff can quickly move from a reactive "capture everything" mode to a much more effective proactive "collect, monitor, research and analyze" approach by using netReplay® from the onset (on live network connections).
netReplay® will increase credibility of results by replaying exactly what, when, and how content was seen and handled by a user, thereby demonstrating both proof of the user’s content and related actions. In addition, Chronicle’s Forensic Information Fingerprinting Engine (FIFE™) provides evidence of user activity that is both forensically accurate and credible.
netReplay® is an easy-to-learn and easy-to-use digital forensic tool that provides immediate benefits. netReplay® will increase the efficiency of a network forensics team by allowing more investigators to be trained to use the tool.
Because of netReplay’s out-of-the-box capabilities, it can begin to immediately collect data - just plug it in. netReplay® quickly and efficiently captures all data necessary for formal records retention and digital evidence collection. Equally important, netReplay® helps speed investigators quickly to the "document decision-ing" phase of their investigation.
netReplay® has been described as a "one of a kind, network content DVR (Digital Video Recorder) that eliminates the digital equivalent of commercials." netReplay’s intelligent deep-packet inspection and content capture effectively cuts out the recording of duplicate data and network content "noise", thereby saving considerable investigative time and money.
netReplay® will increase the effectiveness of a digital forensics effort by providing a high level of precision on the data that is collected and analyzed as well as correlating all events that lead to any suspected misdeed. This is accomplished while also complying with any legal requirements, such as privacy and employee rights and statutory limitations.
netReplay® will greatly improve productivity by reducing the time and complexity of data and event log analysis. Essentially, with netReplay®, investigators now have the means to find the proverbial "needle in a haystack" in hours versus weeks or even months.