Instead of examining disk drives for suspicious data, NetWitness monitors network traffic for suspicious events. It is easily installed from CD-Rom, requiring an activation key before it will function. It generates a unique computer ID number that has to be sent to their support centre, which will return an email with an activation key that locks the software to the workstation. The installation also offers a version of WinPcap if needed.
NetWitness can operate in "Stealth" mode, to avoid being detected in an intrusion attack, but only if it is operating on Ethernet-based networks. It can operate in a real-time mode, monitoring the traffic, or in file mode, in which case it will analyze files of captured data generated elsewhere, perhaps from Unix machines.
It also offers an archival mode, which ensures compressed logs of captured data are retained for later analysis, providing a way to track operations over time.
The system has extensive packet filtering features, allowing the analysis logs to be refined during the collection phase. A similar system is also available for events and properties. These "Application" rules can be applied to practically any piece of network information, and can generate a number of events such as real-time alerts and information logging as required. These facilities can be used to monitor parameters to meet particular legal requirements.
Having collected large amounts of data on network operations, NetWitness can collate and integrate it with data captured from other systems to produce a comprehensive understanding of the trends in the network traffic. It is then possible to refine the search and monitoring functions to focus on areas of concern.
All this information is presented in a way that brings simplicity and order to the complex and sometimes confusing network activity log information. When looking at the accumulated historical data, it is possible to see patterns of use that would be hard to find from simply examining raw network log files. The information is all there.