When it comes to network forensics, Wireshark is the go-to tool for both large and small investigations. Although Wireshark is a regularly updated standard in PCAP analysis, it is important to know alternative options for PCAP analysis. The brief tool discussion below assumes you are not in an environment that has access to commercial/paid enterprise tools.
Grass Marlin
Initially developed by a member of the NSA, Grass Marlin was developed to “Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments.” This software can provide real-time mapping of a network with a visualization priority. It will do the usual sessions and IP mapping of hosts, but the primary aspects are to demonstrate and potentially identify out of bounds connections to a system. One thing I like about this software is the addition and building of multiple PCAPs at once. Even if you have only portions of a capture or different time sections, it will build a picture with whatever it has. The software is available on GitHub.
CapAnalysis
I like the alternative and native geolocation capabilities of this software. It is currently Linux only, which limits its availability, but it is open source and very well done. It has all the usual analytical features and is often updated by the community.
Xplico
I like this tool because it has multi-user capabilities. If a multi-analyst user environment of a PCAPs is necessary, then this tool can help perform this function.
Crowd Inspect
Any free tool by CrowdStrike is always worth a look. This tool can be installed on any exposed machine (or normal machine for enhanced security), and it will monitor open source vulnerability signatures via packet total. It is useful if you are trying to figure out what machine is leaking information and do not have direct access to each node.
NetworkMiner
Network Miner is an open source Network Forensic Analysis Tool (N.F.A.T.) for Windows (but also works in Linux / Mac OS X / FreeBSD). Network Miner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. Network Miner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. Network Miner makes it easy to perform advanced Network Traffic Analysis by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator. This would manage as a more useful tool since it serves the purpose of packet capturing and network sniffing which may serve to help a company identify and rid itself of network intrusions.
NMAP
Network Mapper, or Nmap for short, is a tool that can perform a variety of functions. It is commonly pre-installed on many forensic and network security workstations, such as Kali Linux and DEFT, and it is compatible with all the major operating systems. It is well regarded within the information security community as a powerful tool, and also has the benefit of being open-source. Some of the useful functions it provides include host identification/discovery on local and remote networks, open port scanning on specified hosts, stealthy port scanning to reduce the likelihood of blockage by an intrusions detection system (IDS), and penetration testing to discover vulnerabilities in a network. Given its broad application, universal OS compatibility, strong community reputation, and free-to-use nature, I would strongly recommend that every forensic professional be trained in the use of Nmap and be ready to use it for network incident response scenarios.
Wifi Testing Tools
There are many open source wifi penetration testing tools, Burp Suite, Beef, OWASP ZAP, etc. Not a single tool here I can particularly recommend, but the point here is, a responder should be able to “backtest” the WIFI. This might help in an investigation and point to the “how” and “why”.
There are so many tools available that any network forensic analyst should have on hand after an incident. How to use these tools is key, and the skills to interpret them is the real item any analyst should have on hand.
Comments
Post a Comment