In the first article in this series we looked at free tools for data mirroring and in the second installment we looked at tools available for registry forensics, followed by an examination of some tools available for disk forensics.
Now we move on to network forensics, which is related to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. We will also examine some tools for email forensics.
The ultimate goal of network forensics is to provide sufficient evidence to allow the criminal perpetrator to be successfully prosecuted. The practical application could be in areas such as hacking, insurance companies, fraud, defamation, etc.
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and display them in human-readable format. Wireshark includes filters, color-coding, and other features that let you dig deep into network traffic and inspect individual packets.
Tool: Network Miner
Network Miner is a network forensic analysis tool for Windows that can detect the OS, hostname, and open ports of network hosts through packet sniffing or by parsing a PCAP file. Network Miner can also extract transmitted files from network traffic.
Erasing or deleting an email doesn’t necessarily mean that it is gone forever. Often emails can be forensically extracted even after deletion. Forensic tracing of e-mail is similar to traditional detective work. It is used for retrieving information from mailbox files.
Tool: MiTec Mail Viewer
This is a viewer for Outlook Express, Windows Mail/Windows Live Mail, Mozilla Thunderbird message databases, and single EML files. It displays a list of contained messages with all needed properties, like an ordinary e-mail client. Messages can be viewed in detailed view, including attachments and an HTML preview.
It has powerful searching and filtering capability and also allows extracting email addresses from all emails in opened folder to list by one click. Selected messages can be saved to eml files with or without their attachments. Attachments can be extracted from selected messages by one command.
Tool: OST and PST Viewer
Nucleus Technologies’ OST and PST viewer tools help you view OST and PST files easily without connecting to an MS Exchange server. These tools allow the user to scan OST and PST files and they display the data saved in it including email messages, contacts, calendars, notes, etc., in a proper folder structure.
In the next article in this series we will look at free tools for Internet forensics – stay tuned!
About the Author: Mohit Rawat writes for Infosec Institute and is an engineering graduate and works as a Security Analyst.Specialized in social engineering, penetration testing, application vulnerability assessments, digital forensics investigations and IT security architecture. He works for both public and private sector clients, perform penetration testing, digital forensics investigations and deliver security training to IT professionals.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Leveraging the Windows Registry in Digital Forensics Investigations
- Digital Forensics and Incident Response
- Tales From the Crypto: Case of the Malicious IT Contractor
- Philip Polstra Discusses Digital Forensics
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock