An Empirical Study of Network Forensics Analysis Tools

Network traffic monitoring tools allow network administrators to view network traffic in real-time. Since real-time monitoring requires human and hardware resources, it is more practical to archive all network traffic and analyze parts of captured data for specific purposes such as, forensics evidence, intrusion detection, or incident response. This process is known as network forensics. Commonly, network forensics analysis is done by manually examining log files which is a time-consuming and error prone process. Instead, network administrators use network forensics analysis tools (NFATs) to capture segments of traffic, to inspect the traffic and to analyze data transferred over the networks so that an attack or the malicious intent of the intrusions may be investigated. Moreover, NFATs support the notion of defence in depth. As such, they have the ability to correlate data from other security tools such as intrusion detection system or firewall. In this paper, we present the result of our experiment with several popular open source network forensics analysis tools. We evaluate the strengths and weaknesses of them, interface user friendliness, visualization, filtering, reporting, data collection, data analysis, extraction, and correlation with other log files such as firewall and IDSs.