Mobile Forensics: Network Analysis on the Go

SilentRunner analysis tool takes baseline, analyzes network usage

SilentRunner Inc's SilentRunner Mobile Forensic Analyst is a software tool for analyzing, from a single laptop, captured network traffic and device-log data. The monitoring and forensics technology can analyze network sessions and lets investigators replay and reconstruct network activity, as well as see events in real-time. It runs on Windows 2000 and stores collected data in an Oracle 9.2i enterprise database.

SilentRunner products can record all network traffic, then reconstitute packets into actual sessions and scan each. If they detect a “flagged” keyword, for example, say a secret pharmacological formula, then the software notifies an administrator. From the front end, the administrator can replay the packets in the native application or browser—seeing both sides of an IM conversation, for example.

By contrast, mobile Forensic Analyst is “primarily for customers who need mobility associated with audits,” says David Capuano, vice president of marketing for SilentRunner, a wholly-owned subsidiary of Raytheon Co. (Reston, Va.). Organizations don’t need to have installed SilentRunner, a product that stores and analyzes an enterprise’s network traffic. For organizations that do, the product might be used in branch offices or geographical areas where SilentRunner isn’t installed.

For example, a mobile operations staff member takes a laptop with the software and shows up at a location, then begins analyzing network traffic. Similarly, the software could be used for law enforcement investigations, even though law enforcement personnel haven’t previously been tied into the infrastructure. “You can play any TCP-dumped data back into it,” such as from device logs or the routine network sniffing many security administrators already do, notes Capuano. This means that even though an incident might already have occurred, as long as there’s stored data, it can be analyzed.

Mobile Forensic Analyst moves data through the Secure Sockets Layer (SSL) to a centralized collector, loader, and data manager. The product builds a baseline of network activity and data to let security professionals assess whether network activity is within normal parameters, called standard operations.

The software also generates reports. “It pulls out an Excel-like rendering of information that's being examined, so customers can actually save that off,” says Capuano. Users can create two-dimensional visualizations of network infrastructure activity to aid in discovering illicit activity.

Such a tool falls into both the monitoring and forensics realm. “The need for in-depth network forensics in support of security activities is growing. At the same time, enterprise networks are becoming much more vast and complex,” says Pete Lindstrom, research director of Spire Security in Malvern, Penn. “SilentRunner Mobile Forensic Analyst enables customers to rapidly assess network activity, facilitate the burden of rectifying network misuse, and stay a step ahead of the next threat.”

SilentRunner also released SilentRunner Enterprise Edition, an appliance that provides information and intelligence on what networking resources are being accessed, by whom, how, and when. As with the Mobile Forensic Analyst, it records baselines of network activity to help administrators spot abnormal activity.

Customers with geographically distributed locations requested a way to analyze the network data at more than just one location. The Enterprise Edition lets companies deploy SilentRunner on multiple workstations, better tackle geographical issues, data transfer, and information extraction. “We moved the architecture from a flat file to a database architecture—the back end is now an Oracle database, that can now be accessed by single sets of analysis station or multiple sets of analysis stations,” says Capuano.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.