Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: An Introduction to RSA Netwitness Investigator - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An Introduction to RSA Netwitness Investigator

In many cases using Wireshark to do a network forensics is a very difficult task especially if you need to extract files from a pcap file.  

Using tools such as RSA Netwitness Investigator can make network forensics much easier. RSA Netwitness Investigator is available as freeware.


1-Go to!freeware to obtain the latest version of RSA Netwitness Investigator.  

2-Launch NwInvestigatorSetup.exe

3- Read the license agreement and accept it (if you wish).

4- Choose users

5-Choose the Install location and click install.

Once you finished your installation you have to register  freeware user account. You have to activate your version before you can use it.


1-Create New local collection

2-Enter the new collection name:

3-Select the collection

4-Select Import Packets from Collection menu and select the pcap file that you would like to investigate

 5-Select Navigate Collection From Collection Menu

6-Now you should have something similar to this screen :

As you can see everything is clear and can browse it by Service Type (protocol) ,hostname ,source IP â?¦.. etc.

Let say for example you want to explore the name of the exe files that contained in the pcap file you do that by clicking on extension->exe and you will see all the exe files in the pcap file and you will see all the details of the file such as where itâ??s come from (IP Address and hostname ) and how itâ??s come (protocol) .


48 Posts
ISC Handler
Is RSA Eyewitness Investigator a fully audited open source product? If, not, why should it be trusted? In fact, why should any RSA product be trusted by the information security community, given the revelations about its complicity with the NSA to undermine and sabotage good security?

Quoting Anonymous:Is RSA Eyewitness Investigator a fully audited open source product? If, not, why should it be trusted?

It's a free tool that you can choose to use if you find it useful.
Which tools have been fully audited to your satisfaction? How about you run it locally in a VM, see what it does, and make a decision for yourself?
Make sure you test if it detects files with 'NSA' in the filename.

2 Posts Posts
How many open source projects can be described as "fully audited"? And who audits the auditors to make sure they are actually looking for what you care about? This loop can go on forever. At a certain point, you are taking things on faith.

18 Posts Posts
The point that not all open source has been fully and objectively audited is accurate, even if it adds nothing useful to the conversation. However, it is _auditable_, which has value. The fact is that credible accusations have been levied that RSA deliberately and repeatedly undermined the privacy and security of everyone who uses the internet in exchange for lucrative government contracts. Denials have been made by RSA which imo lack much credibility. You go ahead and trust them, I choose not to. Certainly everyone should make up his or her own mind on that issue, but that decision should be a fully informed one. I think that advocating use of their tools on this forum with no mention of those allegations is misguided.

There are valid concerns here about NSA.. but contemporaneously speaking having another "bullet" in the magazine is good too. What I have done, Onion the link, DL, use "tails" to check out and see how it works. Let us not be naive and think nothing has back-doors... well maybe there are proven "vapor modes" One could have DL the program on flight 370 and ran it from there.

52 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!