Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

4 cheap options to monitor networks for evidence

Brandon Gregg | Feb. 10, 2010
Investigations manager Brandon Gregg explains how to collect evidence for network investigations on the cheap without damaging the mission at hand.

Computer forensics don't have to solely focus on recovering and searching for evidence on storage devices. Although programs like Encase and FTK 3.0 are excellent tools to help find documents, photographs and other files for your investigation, they cut short on collecting network traffic your suspect sends and receives.

Viewing stored URL visits and local cache only paint a limited picture of the suspect's Internet usage and sometimes amount to the same as reading tea leaves. A document opened online, an incriminating instant message or even a VOIP call can and should be forensically captured and reviewed for your investigations.

Below are four free or low-cost options to monitor your target's network connection, capture forensic traffic and review the data for evidence. Consult with your company's legal and IT departments before monitoring Internet connections. This may be illegal in some areas or against company policy.

Before getting started you have to decide which of the four monitoring options best work for your investigation. Each option has its own unique function that works for different scenarios that are rated below based on Level of Expertise to setup it up, Covert Application (risk of getting caught) and Network Type (wireless vs. LAN):

1. SPAN port monitoring. Level of Expertise: 1 of 5, Covert: 3 of 5, Network: LAN and WLAN.
Monitoring this way is probably the easiest to do and best option for the corporate environment. Although your target will have no clue he or she is being monitored, you need to trust your IT department because they will need to plug a computer into the SPAN port.

No additional tools are needed other than an extra Ethernet cable and your computer. And because the system is monitoring near the end point of the system, Wi-Fi traffic of your suspect can be captured as it leaves the network and returns. Your IT department will know what a SPAN port is and how to do this. It is a very common procedure for uses other than monitoring.

2. Hub router. Level of Expertise: 2 of 5, Covert: 3 of 5, Network: LAN only.
Without getting too technical, a hub router (not a switched router, which is common at most stores) is an easy and effective way to split the suspect's network so you see a mirror image of their traffic. These routers can be ordered online for $30, but your IT department probably has a few extra lying around. Simply connect the hub between the suspect's wall port or in the network room and into your computer to start monitoring. As long as you hide the hub and third Ethernet cable this can be very covert and easy to do without even tipping off IT.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.