Forensics capture on a Capture Engine
The Forensics capture template available in Omnipeek is configured for post-capture forensic analysis. The template allows you to create and save forensic captures stored as packet files on the Capture Engine. You can then use these forensics captures to perform a more detailed investigation of the data to identify and troubleshoot items such as network problems, security attacks, HR policy violations, and more.
The Forensics Capture template is available from various tabs in the Capture Engines window. The basic steps on how to perform forensic analysis using the Forensics Capture template are described below. For more detailed instructions, see Forensic search from the ‘Forensics Capture’ window.
To start a forensics capture on a Capture Engine:
1. From a connected Capture Engine in the Capture Engines window, do one of the following:
• On the Home tab, click , and then click “.”
• On the Capture tab, click the arrow to the right of , and then click “.”
• On the Adapters tab, click , and then click “.”
The General options of the Capture Options dialog appears. See Configuring general options. See also Configuring adapter options to select a capture adapter.
NOTE: Since a ‘Forensics Capture’ is optimized for post capture forensics analysis, click the Analysis Options view from the Capture Options dialog and notice that all options are disabled by default. This helps to ensure packets are captured at the fastest rates possible.
2. Click from the Capture Options dialog. A new Capture Engine capture window appears.
3. Click to start capturing packets.
4. Click to stop capturing packets.
5. Once capture files are available on your Capture Engine, you can begin performing forensic analysis on the files by doing the following:
• On the Forensics tab, select the capture session you wish to search either from the Timeline or Details nested tab, drag to select the area of the capture session you wish to search in the Timeline graph, and then click . See Forensic search from the Forensics tab.
• On the Files tab, select one or more files that are from the desired time range, and then click . See Forensic search from the Files tab.
NOTE: You can also perform forensic analysis directly from a ‘Forensics Capture’ window. See Forensic search from the ‘Forensics Capture’ window.