HTTP reconstruction is an advanced network security feature offered by nChronos version 4.3.0 and later. nChronos is a Network Forensic Analysis application that captures packets/data around the clock. With HTTP reconstruction, network security engineers and IT managers can uncover suspicious user web activity and check user web history to examine specific HTTP incidents or HTTP data transferred in/out of the corporate network.
Download your copy of nChronos now!
Firewall.cx readers can also visit our nChronos Forensic Analysis section to gain access to more technical & network security articles covering nChronos.
Now let's take a look at how to use this new feature with Colasoft nChronos.
The HTTP reconstruction feature can be easily selected from the Link Analysis area. We first need to carefully select the time range required to be examined e.g 9th of July between 13:41 and 13:49:15. Once the time range is selected, we can move to the bottom window and select the IP Address tab to choose the IP address of interest:
Figure 1. Selecting our Time-Range, and IP Address of interest from Link Analysis
nChronos further allows us to filter internal and external IP addresses, to help quickly identify the IP address of interest. We selected External IP and then address 173.205.14.226.
All that's required at this point is to right-click on the selected IP address and choose HTTP Packet Reconstruction from the pop-up menu. Once HTTP Packet Reconstruction is selected, a new tab will open and the reconstruction process will begin as shown below: