Anyone in the cyber field that has been involved in a network investigation to determine the source and scope of a compromise knows that the process is time intensive. Traditionally, such investigations require logfiles from various sources: routers, firewalls, intrusion detection systems, and maybe packet captures from a sniffer if you have one. Reconstructing the sessions require matching up the timestamps, whiteboarding the data flows, and storing the logs for evidence in case law enforcement is involved. Only the truly skilled can determine exactly what was stolen from the network.

But along comes the former US Cyber Czar, Amit Yoran, with his company’s flagship product- Netwitness Investigator. This tool can reconstruct a network compromise on the fly, and it does so without the need to understand Hexidecimal code or have a protocol analyzer handy. All sessions are reconstructed so the analyst can see exactly what the attackers did- Web surfing sessions are rebuilt, emails and their attachments are reconstructed, VOIP is reassembled in an easy-to-listen player, and you can even map out the complete attack using Google Earth!

If you have ever watched 24 and scoffed at the abilities of the CTU cyber team to instantly analyze the sources of internet attacks or communications, scoff no more. Netwitness’ Investigator would make those tasks possible. The software, developed as a project for the CIA, is already in use in many government and national law enforcement agencies.

And the tool is now completely free. You can download it here. Rich Steinnon of Network World and Threat Chaos said of Investigator here:

This is the first software I have ever installed that comes with links to a YouTube channel for easy to follow training on how to use the product. There is a registration process but it goes quickly. Amit assured me that this is not in any way a watered down version of their product. The free version has all of the functionality of the commercial Investigator. It does have limits set on the size of a session that can be recorded of 1 gig. That should be more than enough for most investigations.

This tool represents a giant leap forward for cyber professionals. It consolidates many tools that have been around for a decade into an easy-to-use package for network forensics. And it should be an invaluable weapon in the fight against black hat hackers, ID thieves, and phishers too.