Wednesday, November 26, 2008

Network-Based Forensics: Xplico


If you are interested in Network-Based Forensics, you should give this tool a try - Xplico, this tool is quite promising and in active development.

During HITB Training and Conference, I have mentioned about the challenge and problem with Network-Based Forensics, one of them is the lack of protocol dissectors(especially application layer). Looking at Xplico roadmap, you can see they are trying to add more and more dissectors to be more advance in traffic reconstruction(you can't really base on tcp itself as the session itself is mostly handled by the application layer these days).

Xplico is definitely designed for Network-Based Forensics only, and it follows file system forensics approach where you can create case and extract data from the pcap. There are few things I would like to see it in Xplico if possible -

1. Support more packet format(or conversion)
2. Better search engine(not only email)
3. Report generation
4. Data export to various format
5. Per host traffic information

If you are interested in trying out Xplico quickly, you can check out Deft liveCD.

More screenshots!!!!!



Enjoy ;]