dfm covers
 
 

Netflow Forensics

Written by DFM team

Netflow Forensics

George Bailey


Innocent or Guilty


Introduction

Digital forensics is an ever-changing discipline involving technology, processes and classic investigative skills.  Digital forensic examiners are in a constant race to stay one step ahead of the bad guys; always looking for new ways to uncover evidence of probative value.  This paper discusses the challenges and benefits to using netflow data in digital forensic investigations.  Suggestions are provided in order to increase the value of using netflow data as a source of supporting evidence in digital forensic investigations. However, the reader should know that netflow data is not currently considered a strong enough source of evidence by itself, as many new forensic breakthroughs aren’t.  


Netflow

Netflow is the common name for Internet Protocol Flow Information eXport or IPFIX for short; and is used to monitor application specific traffic as it traverses a network.  Ratified as an Internet Engineering Taskforce (IETF) standard in January 2008 (Claise, 2008), netflow or IPFIX monitoring has become a common feature on all enterprise class routers; although each vendor may have its own name and/or proprietary format for implementing the IPFIX standard, such as Jflow for Juniper Network devices and sFlow for Brocade network devices. 


Netflow data or flow records can be generated by a routing or switching device as the traffic naturally flows through the network.  The flow summary records are then ‘exported’ or sent over the network to a collector for analysis and storage.  Once netflow data has been exported to the collector it is permanently discarded by the exporting device.   The netflow collector is a service that is listening on a remote server that collects, processes and stores the netflow records.  Many network monitoring companies (e.g., Solarwinds, Netscout, and Plixer) have commercial offerings in the netflow analysis space; however, there are open source solutions also available.  A typical network flow contains several pieces of information that would be of interest during a digital forensic investigation.  The seven default fields that comprise a network flow are the source and destination IP addresses, source and destination ports, IP protocol in use, ingress interface and the IP type of service (Cisco, n.d).  Once a unique netflow is detected by observing the above seven attributes the exporter will also capture the start and finish time of the flow, as well as the number of packets and bytes observed (Cisco, 2008).  The netflow record itself does not contain any content of the observed traffic; this could prove to be a sore point in a forensic investigation.  


Organizations that are equipped to perform full packet captures of traffic may be able to resolve this weakness by capturing data in conjunction with collecting netflow data, once netflow records have been used to detect an issue.


George talks about the benefits of this subject in Issue 6 of DFM - out in Feb 2011 - subscribe today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 33 on sale from November 2017:


Triage Solution for Sex Offender Managers

This article considers a proof of concept triage solution for sex offender managers for a local police force which if successful could simplify and modify the way that sex offenders are managed. Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Why Are Cybercriminals Attracted To Commit Crimes

Individuals who engage in cybercrime have a psychological mindset that is attuned to it. This paper discusses the motives behind cybercrime and what makes cybercrime attractive to cybercriminals. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue