FlowTraq > News > News & Events > News > Why Full-Fidelity Matters for Network Forensics

Why Full-Fidelity Matters for Network Forensics  

« Back to News

July 31, 2012

No matter how tightly you control your network, something will eventually go bump. And it is better to get prepared in quiet times than to figure it all out in the turbulent times right after an incident.  Network traffic forensics, log analysis, and backup recovery are central to this area. This is also the area that is most often ignored, allowing the same problem to affect an infrastructure many times over. You must find out what happened, so you can prevent it from interrupting your business again in the future.

For this Blog, we’ll focus on network traffic forensics and why full-fidelity forensics matters.

Network Traffic Forensics Asks 3 Questions

Investigating the traffic that traversed you network may often give a strong clue as to the nature of the issue at hand. Botnet traffic, remote administration tools, large data transfers to external addresses will all be clues to the nature of the compromise. When there is evidence in network traffic of the issue under investigation, it often means that the issue is not contained within your organization, and that an external party may be involved.

Although fullcap gives the ability to look deep inside the packets, and find possible minute details hidden there, it often does not have a long enough history to be useful.  For example, a network with a saturated 100MBit uplink to an ISP will fill 12 megabytes per second of full-cap storage.  That is 43 gigabytes per hour, and about 1 terabyte per day.

In order to perform network forensics, you need to be able to answer three basic network traffic questions:

1. Where did the network traffic come from?

2. When did  the network traffic start?

3. Are any other systems affected?

Getting the Answers: Full-Cap vs. Full-Fidelity

These important questions can only be answered if sufficient traffic history is captured. It is therefore useful to monitor multiple points in the network, and keep full-fidelity data around for weeks or even months.  Full-cap cannot scale to this level; only full-fidelity flow analytics can.

Tools like FlowTraq are designed for this purpose, and will scale far into the future.

Even though network traffic is increasing the total number of flows per host on your network has remained relatively steady over the years. The reason is that people have a limited ability to consume emails, watch videos, and browse webpages. The content is constantly gaining in resolution, which is driving the rise in required network bandwidth, but the number of communications (and thus network flows) rises only slowly.

Often very smart people don’t have a good grip on the traffic in their network. Full-cap solutions are ubiquitous, but offer a microscopic view where a macroscopic view is desired. SNMP and log monitoring tools are simply too coarse, while SIMS are often considered an insulting abstraction from the important details.

When we designed FlowTraq, we specifically had network forensics mind. This allows even smaller organizations to implement network forensics with great accuracy, and without breaking the bank.

More on Protecting and Controlling IT Assets:

Learn more on how to manage, protect and control IT assets for smooth infrastructure operation by downloading our free whitepaper

Download our whitepaper ““The Taxonomy of Wise Infrastructure Spending” to get 3 ready-to-use plans with recommended tools for application administration, device monitoring, traffic monitoring, policy enforcement, malware repulsion, audit & compliance, backup & restore, hosts and appliances, and traffic forensics.

« Back to News

Get Started

Learn More

Free Flow Exporter

Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »