Orion Incident Response Live CD
Figure 24: Xplico timeline of HTTP requests from malware
Another excellent tool for ad-hoc analysis of log data is the visualization tool ggobi. The ggobi software takes comma separated value (.csv) or XML data as input and creates multi-dimensional views.
Rumint, the “network VCR player” is another included visualization tool. This tool uses multiple different visualization techniques, that can be combined together to highlight outlying data or interesting patterns.
There are also many, many tools that extract different views of the data contained in .pcap files. Orion includes a script (/orion/scripts/analyze-pcap) created by one of our team members that takes a packet capture as input, and produces output from the