Network Forensics with NetWitness

Ten days ago I had the privilege of attending a day of product training for NetWitness. NetWitness is a real network forensics tool produced by a company of the same name. Anyone who's read my books or attended my training knows I am a big fan of open source tools. NetWitness, however, is built to facilitate investigating network traffic.

It's important to differentiate between packet collectors, protocol analyzers, and network forensics tools. Dumpcap is the prototypical packet collector. Simpler than Tcpdump and much simpler than Tshark, all Dumpcap does is record packets. It's especially suited for this role, however, because it offers native trace rotation capabilities.

Tcpdump, Tshark, and Wireshark are all protocol analyzers. Yes, Tcpdump is a protocol analyzer, although it is not as robust as Tshark or Wireshark. Protocol analyzers are suited for packet-centric inspection. For example, I used Wireshark extensively while learning about 802.11 traffic. Protocol analyzers are also helpful for network troubleshooting, with varying degrees of automated analysis. Commercial protocol analyzers are especially robust in this regard. Protocol analyzers often feature tools for rebuilding TCP sessions, but that is usually the extent of those features. Protocol analyzers also permit searching traffic, but the analyst generally must have a good grasp of what he is looking for and how to get that idea across to the protocol analyzer.

Network forensics tools are not packet-centric; they are data centric. NetWitness, for example, cares less about the underlying packets and more about the data they contain. The partial screen capture (original here) hints at NetWitness' depiction of files, accounts, and email addresses recognized in a network trace.

Investigators don't (necessarily) look at packets when they use NetWitness for network forensics. Rather, they look for useful data. One investigation might require finding all information related to a specific username. That username (or a portion of it) would be searchable in email, instant messaging, Web logins, documents, and so forth. While you could do some manual searching with tools like Ngrep or Flowgrep, NetWitness is built around discovering information and is well-suited for this process of discovery.

When you find results, they are presented within the context of the session in which they were contained. NetWitness rebuilds the session and presents it in human-friendly format. If they subject viewed an email, you will see the email. If he visited a Web page, you will see the Web page. There are limitations to this model, such as a browser displaying cache graphics instead of requesting them on the wire. However, this sort of model works very well for forensic analysts.

This second partial screen capture (original here) demonstrates two other powerful NetWitness features. First, NetWitness represents traffic using a noun-verb-adjective-like language. When you see the mention of "GET", for example, it's not necessarily an HTTP get. GET actions include FTP retrievals and other actions where a subject acquires data. This meta-language simplifies investigations by letting the analyst look for actions and not for specific protocol activities.

Second, NetWitness performs port-agnostic protocol identification. When you see "HTTP" it doesn't just mean port 80. HTTP is identified by inspecting traffic and looking for the HTTP protocol. This is an important mechanism for finding back doors and covert channels. Obviously encryption will hamper this feature, but port-agnostic protocol identification is a must-have for forensics tools.

I could say quite a bit about NetWitness, but I hope you've gotten the idea that it's a powerful tool. In case you are wondering, I am not being compensated for this review. I did get to attend the training class for free. I am also not selling NetWitness to anyone. The purpose of this review is to share insights on this tool, and to keep those of us with ties to the open source world aware of applications outside of it.

I am open to hearing from NetWitness' main competitors, Niksun and Sandstorm, if they'd like to comment. Sandstorm's NetIntercept holds a special place in my heart, since it runs on FreeBSD. NetWitness is a Windows-based product. (In production I recommend capturing traffic with a program like Dumpcap or Tcpdump, and then analyzing it in NetWitness.)