While you are watching Wireshark you will see a wealth of random data and colors streaming across your screen. Although you might see a website domain you recognize scroll by, the data contains everything your target is sending/receiving, making it next to impossible to decipher any evidence on your own. That's where open source program Network Miner and Freeware Netwitness Investigator 9.0 come into play. Both tools have an import option to pull information from your 250-mb files (known as pcap files) and can recreate the information into searchable and viewable data.
Network Miner exports all files found, including a quick image viewer making it great for pornography investigations, while Investigator is your one-stop shop to recreate websites, e-mails, instant messages, VOIP calls and other types of data you captured in the pcap files. You can literally see your target entering in search fields, downloading YouTube videos and even unknown viruses communicating to bot servers in China. Unfortunately, Investigator is licensed to view only 1GB (or four 250MB files) at a time vs. their unlimited enterprise solution. So if you have lots of data, searching might have to be done in time blocks, but honestly the network traffic captured on one computer is fairly small.
As stated above, there is no reason why you can't record your own Internet activity and practice searching for data you know you were looking at moments ago. Also, Netwitness offers a free forum to share search ideas and troubleshoot any issues you might run into.
Once you get comfortable with the monitoring tools, saving the data and exploring with Network Miner and Investigator you can search or create alerts to help find that smoking gun you might not see doing basic forensics.
Brandon Gregg is a corporate investigations manager.
Sign up for Computerworld eNewsletters.