Full Packet Capture – a step further in computer forensics
Having introduced a solution dedicated strictly to computer forensics and “extracting” information from network traffic to our portfolio – we decided to give you a little insight into our motivation. Full Packet Capture is the most accurate and complete representation of network data that can be collected. But its usefulness is even greater when you consider that so many other data types can be derived from it.
Let’s recall what network traffic packet monitoring is most commonly used for:
- Identifying security threats.
- Troubleshooting undesirable network behavior.
- Identification of network congestion.
- Identification of data/packet loss.
- Retrospective analysis as part of computer forensics.
Currently, most network traffic monitoring is performed in NetFlow monitoring mode by Next Generation Firewall, Network Detection & Reponse or Intrusion Detection System class solutions. So why extend the ability of network traffic capture to Full Packet Capture?
Most network security tools are based on a negative security model – detecting known malicious traffic, usually based on specific signatures. The negative security model is problematic for zero-day exploits, new malware, or attacks that simply have no existing signature.
Full Packet Capture allows a security analyst to review all system communications that other security tools may not detect.
Full packet capture tools allow security engineers to record and playback all network traffic. Also playing back old traffic using new detection signatures. The retrospect can be used to determine if the exploit occurred before the threat was detected or before the patch was released.
There are several questions that need to be answerd before you start planning a full packet capture deployment. Mainly:
- What do you want to monitor?
- Where to place full monitoring with packet capture?
- What are the data storage requirements?
- Are there any redundancy or scaling requirements?
Successful implementation is based on three factors. Firstly, planning for organization-specific requirements, including minimum retention and capture of network traffic. Secondly, delivering unaltered traffic to the packet capture system. Thirdly, and most importantly, sizing the space to store captured packets for retrospective purposes.
Given the increasingly complex queries our customers receive from regulators – surely every organization should have a tool to monitor traffic and store the results of that analysis. However, if your resources are valuable and you care about a thorough leak investigation – talk to us about Full Packet Capture.