Using IT management tools for forensics

Let's say that a U.S. Marine Corps unit is deployed to Afghanistan for six weeks. While that time they have some issues with connectivity of their hand-held radios, some VoIP (Voice over Internet Protocol) performance issues, and a security incident with one of their e-mail servers. Now remember, they're Marines, so they figure it out in real-time and the mission doesn't suffer. A few months later, the IT management system data that was captured while that time is analyzed to offer a better understanding of what went wrong, how it happened, and how it can be avoided hereafter.

Using IT tools for forensics is one of my favorite things to do because you can learn so much about what's going on within your network and how your systems and applications are functioning. Nevertheless, because this use case isn't the primary one in mind when IT management systems are designed, built, and deployed, using them for forensics can be difficult and more often than not requires some expert planning.

We've all probably used NetFlow-based applications to identify application slowdowns and network bottlenecks. NetFlow typically generates a tremendous amount of data, in short most IT tools implement specialized algorithms for compressing, summarizing, and storing the data. I myself hold a couple of patents in this area. If you didn't compress the data, your databases would grow uncontrollably and your ability to access the data would be significantly slowed. But, the compression and summarization can wreak havoc on the forensics use case if you don't actually watch what you're doing.

Josh Stephens is Head Geek and VP of Innovation at SolarWinds, an IT management software company based in Austin, Texas. He shares network management best practices on SolarWinds' GeekSpeak and thwack. Follow Josh on Twitter @sw_headgeek and SolarWinds @solarwinds_inc.