• Reading: “VirusTotal – Free Online Virus and Malware Scan” – good stuff – ( http://bit.ly/ZYJ1I ) #
• watching recorded 06/11/09 Narus webminar http://bit.ly/P1kBs – lots of stuff in traffic intelligence for me in the past days #
• excited about traffic analysis & intelligence data mining. So far I’m studying NetWitness and Narus. Anybody else I should look at? #
• testing Maltego .. addictive and yes, I looked up my name & blog first #
• I just entered to win an iPhone 3GS being given away by @briannorgard to enter: http://twitthis.com/briannorgard #
• @LauraChappell Thank you for all the effort to deliver this webminar ! Looking forward to begin in reply to LauraChappell #
• Just added myself to the http://wefollow.com twitter directory under: #security #infosec #blogger #
• embarking on the EnCE cert path .. lots of work ahead #
• making my way trough the @encase on demand training.. cool stuff #
• @4mede icognito on twitter ? welcome & looking forward for your tweets #

Powered by Twitter Tools.

• @flibeau welcome in reply to flibeau #
• Reading: “Yoggie New Secure USB Flash Drive”- Embedded antivirus and 256-bit AES hardware based encryption ( http://bit.ly/9Fh2L ) #
• blown away by @netwitness NextGen architecture and data flow + seamless integration with @arcsight . Great ! #
• @iboldizsar lucky you ! Enjoy in reply to iboldizsar #

Powered by Twitter Tools.

• just read about @clearbluesecure and I’m wondering how / if it can be integrated in @arcsight SIEM #
• just posted “NetWitness Investigator – Awesome Network Intelligence!” @netwitness ( http://bit.ly/oOa1X ) #
• @rockyd yes, the netwitness investigator is a great tool. Can’t wait to see what we can achieve with ArcSight ! in reply to rockyd #
• today seems to be forensics day ; evaluating OnLine Digital Forensic Suite http://bit.ly/Q74Dv ; Any feedback from current users ? #
• Reading: “Exploit tools are publicly available for phpMyAdmin” – just checked my servers and I’m safe ! ( http://bit.ly/4xmEp ) #

Powered by Twitter Tools.

After setting up an incident response system based on @arcsight and @encase last week, I’ve been looking for new input sources for ArcSight ESM.Thanks to twitter, @rockyd suggested I should add NetWitness.

And that was the moment that I found the most impressive network forensics tool ever. It takes a radically new approach on raw traffic analysis by recomposing all the network sessions and presenting an array of nouns, verbs, adjectives related to the captured data.

Forget the pain to go trough the hex representation of packets or to manually correlate packets and sessions. Once the data file has been loaded you have full access to all attributes of the data captured, from layer 1 to layer 7.  And they mean it !

I’ve loaded a 20k packets capture previously recorded with tcpdump and I was absolutely blown away :

In 10 seconds I was able to reconstruct all kind of TCP sesssions , from dropped spam mail (displayed as formated email), to IM (shown as convesation)  and even twitter updates.  You can run reports on passwords, login names, URLs, login actions (failed / succesfull), etc, whatever criteria it crosses your mind… I’ve even checked some suspicious SNMP scans .

Overall, this is the coolest tool I’ve seen i a very long time . It’s like the Matrix scene when Neo gets to see the matrix itself, beyond the VR / agent Smith. . Netwitness Investigator gives you this ability to extract intelligence from raw network packets in a second.

I highly reccomend you to first watch 4 short introductory movies on NetWitness Youtube Channel because they reveal a lot of tips & tricks on how to use the GUI to get you where you want. 

NetWitness Investigator is available as a  free download but if you like this tool and you need advanced features like capturing and analyzing remote traffic, I highly reccomend to take a look at  NextGen, NetWitness’ enterprise network forensic solution.