Data, too much Data

Today’s high speed networks produce and incredible amount of log data. This log data is generated from a variety of network devices such as routers, firewalls, operating systems and network services. This poses a series of problems for the investigator.

1. How do you sort and sift through gigabytes of log data?
2. How do you correlate the logs from different network devices and services?
3. How do you not just view the data, but interact with it too?
4. How do you quickly share data with other investigators?
5. How do you interact and not just view the data?

Bots, proxies and phishing

More and more, criminals are using bots to do their work. P2P communications and IRC are only two with their bots. These technologies are used to delay, circumvent and prevent successful investigation.

1. How do you identify proxies and account for them in the investigation?
2. How do you log IRC data and activity easily and continuously?
3. How do you tie such activity to the geography that drives jurisdiction and response policy?
4. How do you cross link bots and proxies to logs in cases?

The answer is ANVISS. ANVISS is an Advanced Network VISualization System that is designed to address all of the above issues and more. Some of the features include:

1. The ability to assign a group of diverse logs to a single case.
2. Log parsing with geo-lookup and GIS plotting
3. Geo-plotting network traffic by time and protocol
4. Central database that allows for cross correlation of network log data while preserving evidence integrity and privacy.?
5. Interaction of the IP data points that allows you to:
   • Add IP address to a watchlist
   • Cross domain manipulation gets the IP address out of the network space and into the real world or street addresses, people and jurisdiction.
   • Internet triangulation to identify the geography of the log data.
   • Cross log correlation lets the investigator search all associated case logs for the same IP address.
   • Flag an IP address as a bot or proxy and then share that with all users in the system.
6. A Global Sensor Grid (GSG) provides the investigator with access to the first privately owned, global grid network.
   • The GSG will monitor and log IRC so the investigator won’t have to.
   • Individual sensors will log general network traffic creating an index of malicious network.