Network Forensics

Network forensics consists in the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence or intrusion detection. This information gathering entails

• a system which in an almost invisible fashion collects data and stores it for realtime or offline analysis
• an analysis system for clustering and aggregation in function of meaningful interrogation
• a system of criteria and ways to get information out of the data
• a way to visualize massive amounts of data

In a more succinct way this amounts to the well-known seven stages of data visualization: acquire, parse, filter, mine, represent, refine and interact (with) data. With the increasing amount of data in the enterprise and the need to keep security tight network forensics has become increasingly popular. This domain also has a lot of affinity with anti-terrorism and intelligence services.

On a more technical level, it’s quite a challenge to handle petabytes of data and to visualize huge amounts of data in a meaningful way. On the analysis level that where things like Microsoft StreamInsight comes in but SSIS and SQL Server Analysis Services. On the data visualization level one inevitably has to delve into custom virtualization panels and smart ways to transition from a high-level overview to a finer grain level, and back.

Much like business intelligence, forensic analysis is an interesting field which combines various technologies and abstract thinking.