Forensics and full packet collection

Use IBM QRadar Incident Forensics in your deployment to retrace the step-by-step actions of a potential attacker, and conduct an in-depth forensics investigation of suspected malicious network security incidents.

QRadar Incident Forensics reconstructs raw network data that is related to a security incident back into its original form.

QRadar Incident Forensics integrates with the IBM QRadar Security Intelligence Platform and is compatible with many third-party packet capture offerings.

QRadar Incident Forensics offers an optional QRadar Network Packet Capture appliance to store and manage data that is used by QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet data.

QRadar Network Packet Capture components

The following components can be included in a QRadar deployment:

QRadar Console
Provides the QRadar product user interface. In distributed deployments, use the QRadar Console to manage multiple QRadar Incident Forensics Processor hosts.
QRadar Incident Forensics Processor

Provides the QRadar Incident Forensics product interface. The interface delivers tools to retrace the step-by-step actions of cyber criminals, reconstruct raw network data that is related to a security incident, search across available unstructured data, and visually reconstruct sessions and events.

You must add QRadar Incident Forensics Processor as a managed host before you can use the security intelligence forensics capability.

QRadar Incident Forensics Standalone
Provides the QRadar Incident Forensics product user interface. Installing QRadar Incident Forensics Standalone provides the tools that you need to do forensics investigations. Only forensics investigative and the related administrative functions are available.
QRadar Network Packet Capture

You can install an optional QRadar Network Packet Capture appliance. If no other packet capture device is deployed, you can use this appliance to store data that is used by QRadar Incident Forensics. You can install any number of these appliances as a network tap or subnetwork to collect the raw packet data.

If no packet capture device is attached, you can manually upload the packet capture files in the user interface or by using FTP.

Depending on your network and packet capture requirements, you can connect up to five packet capture devices to a QRadar Incident Forensics appliance.

All-in-One deployment

In standalone or all-in-one deployments, you install the IBM QRadar Incident Forensics Standalone software. These single appliance deployments are similar to installing the QRadar Console and QRadar Incident Forensics managed host on one appliance, but without log management, network activity monitoring, or other security intelligence features. For a stand-alone network forensics solution, install the QRadar Incident Forensics Standalone in small to midsize deployments.

The following diagram shows a basic QRadar Incident Forensics All-in-One deployment.

Figure 1. All-in-one deployment
Forensics All-in-One deployment

Distributed deployment

The following diagram shows a QRadar Incident Forensics distributed deployment.

Software versions for all IBM QRadar appliances in a deployment must be the same version and fix level. Deployments that use different versions of software are not supported.

Figure 2. Distributed deployment
Distributed deployment

The following diagram shows packet forwarding from a IBM QRadar Flow Collector 1310 with a 10G Napatech network card to a QRadar Network Packet Capture appliance.

The QRadar Flow Collector uses a dedicated Napatech monitoring card to copy incoming packets from one port on the card to a second port that connects to a QRadar Network Packet Capture appliance.

Figure 3. Packet forwarding
Packet forwarding