How to Quickly Analyze a PCAP File

 I am so excited to introduce NFPA – a Network Forensic Processing & Analysis tool! 

network_security_ediscovery_network_analysis_network_monitor_forensics_tools_pcap_forensics_packet_forensics_capture_wireshark
NFPA – Network Forensic Processing & Analysis

My purpose behind NFPA tool is to provide Cybersecurity analysts a more efficient and automated (“click & forget”) means of executing commonly-used, open-source network forensics utilities and analysis queries against a piece of network evidence (PCAP).

NFPA tool helps optimize investigations by reducing errors that are typically involved in manually processing and analyzing network-based evidence through various popular tools and command-line options. 

Using NFPA, an analyst can:

  1. quickly process case evidence through various popular tools and utilities all by a simple script execution
  2. review results from 60+ individual, multi-purpose queries pre-ran again the evidence
  3. view the native output from all of the evidence process utilities – providing the opportunity for any validation or further analysis

All of the above is organized in an easy-to-understand structure which allows the analyst to quickly find answers as well as the authoritative source of those answers. 

Here is a quick demo of NFPA in action:

A key requirement when designing NFPA was to keep dependencies as minimum as possible. I wanted to make sure I leverage a platform that is already commonly used by analysts which is pre-configured with all of the necessary tools and capabilities. This would allow analysts to instantly begin their work on investigations and not have to deal with the underlying system engineering.

To that end, here is the only dependency:

Additionally, the NFPA is built-in Bash. Which means you do not have to import any specific libraries or run a certain version. Another advantage of using Bash is that you will most likely be able to run NFPA on other Linux distributions (may need to install some purpose-built network forensic tools separately).

The first version of the tool is now available on Github. Please check it out and let me know what you think!

Tagged , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Advertisements
%d bloggers like this: