Product Group Tests

Network forensics (2008)

Group Summary

Our Best Buy is Niksun's NetDetector. It is a solid product that not only provides good log analysis, it has the forensics chops to get the investigative job done.

LogRhythm v4.0 gave our Best Buy a strong run for its money. We rate it Recommended as a top-end network analysis tool.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

This is a multi-faceted area, and combining several single-function tools with more general solutions may be the best way to cover all bases. Peter Stephenson looks at a growing market.

This month we carved up the digital forensic products into two subsets. The network-based tools covered some interesting territory. There are two classes of solutions that seem to be lumped into the network forensics category. The first incorporates all those offerings that do much of what traditional computer forensics tools do, only they do it over a network. The second category analyses traffic over the network. We saw examples of both.

The tools that analyse computers over the network can often look at some things that remain hidden from typical computer forensics tools. For example, it is easy to see what services are operating when you watch the device over the network. You can also watch file openings and closings. These additional abilities provide the analyst with more forensic data while allowing a traditional view of the device's media.

The network forensic tools that watch the traffic on the network come in several flavours as well. Some of these are designed specifically for forensic analysis of network activity. Some - most, in fact - are intended to double as log aggregators/analysts and forensic analysis tools.

These products take input from a variety of log sources including IDS, firewalls and syslogs. They may not have explicit forensic functionality, but they all provide the necessary features that enable forensic analysis over the network.

We also saw niche products, including one that simply goes out to the network and discovers all the computers within a range of IP addresses. It then tells a bit about what it finds. This is a necessary first step in analysing a network. At first sight one might think of this tool as a sort of commercial NMap. However, the information it gathers is focused on what is needed as a preliminary step in forensic analysis of a network and its devices.

Buying tips
This is not an easy topic to discuss because we start examining everything from niche products
to pure forensic products. You should think of your forensic tools in terms of a toolkit, a collection of forensic tools, some of which are just simple specialised products for single tasks.

Forensic analysis has become a complicated process. Not everything you do during the analytic process yields evidence directly. Some of the functions you will need just to understand the network better, look for anomalies and, perhaps most importantly, lead you to where useful evidence resides. In that regard, some of our tools shine.

Begin your buying process by selecting one or two computer forensics tools. See media tools in the group test on page 64. Just as in network tools there will be some niche tools that perform specialised tasks such as mobile-phone analysis. The reason for selecting more than one is a bit complicated. First, you may need the functionality of some of the more focused tools. Second, it is a good idea to use more than a single computer forensics tool. Not all of these tools behave in the same way or see exactly the same things in the same ways.

Next, consider how you will use these tools. Do you need to do analysis of individual computers over the network? If so, an over-the-network computer forensics tool will be useful. Are you just using forensics to analyse suspected criminal activity or violations of policy? Or are you incorporating digital forensic analysis in your incident management/response program? How large is your enterprise? Is it geographically disbursed? If the answer to any of these questions is yes, a remote forensics tool may be useful.

Next, look for the niche tools. These are little utilities that help you manage forensic tasks. The WetStone product we look at this month is just such a product.

Finally, it's time to invoke the big guns. These are the log analysis tools. They aggregate and correlate the data from all the logging devices on the enterprise and then check them for commonalities that allow correlation of individual activities into a single, overall picture of an incident. Some of these products have an explicit forensic function. If you are going to this kind of tool for forensics you either need a forensic function that helps you manage things, such as chain of custody, or you will need to do them manually.

One important facet of this product group is its overall excellence. We had a very hard time picking our Best Buy and Recommended products. Regardless of what you need to do, there are products out there to help you and these are at the head of the class.

- For details on how we test and score products, visit

All Products In This Group Test