dfm covers
 
 

Netflow Forensics

Written by DFM team

Netflow Forensics

George Bailey


Innocent or Guilty


Introduction

Digital forensics is an ever-changing discipline involving technology, processes and classic investigative skills.  Digital forensic examiners are in a constant race to stay one step ahead of the bad guys; always looking for new ways to uncover evidence of probative value.  This paper discusses the challenges and benefits to using netflow data in digital forensic investigations.  Suggestions are provided in order to increase the value of using netflow data as a source of supporting evidence in digital forensic investigations. However, the reader should know that netflow data is not currently considered a strong enough source of evidence by itself, as many new forensic breakthroughs aren’t.  


Netflow

Netflow is the common name for Internet Protocol Flow Information eXport or IPFIX for short; and is used to monitor application specific traffic as it traverses a network.  Ratified as an Internet Engineering Taskforce (IETF) standard in January 2008 (Claise, 2008), netflow or IPFIX monitoring has become a common feature on all enterprise class routers; although each vendor may have its own name and/or proprietary format for implementing the IPFIX standard, such as Jflow for Juniper Network devices and sFlow for Brocade network devices. 


Netflow data or flow records can be generated by a routing or switching device as the traffic naturally flows through the network.  The flow summary records are then ‘exported’ or sent over the network to a collector for analysis and storage.  Once netflow data has been exported to the collector it is permanently discarded by the exporting device.   The netflow collector is a service that is listening on a remote server that collects, processes and stores the netflow records.  Many network monitoring companies (e.g., Solarwinds, Netscout, and Plixer) have commercial offerings in the netflow analysis space; however, there are open source solutions also available.  A typical network flow contains several pieces of information that would be of interest during a digital forensic investigation.  The seven default fields that comprise a network flow are the source and destination IP addresses, source and destination ports, IP protocol in use, ingress interface and the IP type of service (Cisco, n.d).  Once a unique netflow is detected by observing the above seven attributes the exporter will also capture the start and finish time of the flow, as well as the number of packets and bytes observed (Cisco, 2008).  The netflow record itself does not contain any content of the observed traffic; this could prove to be a sore point in a forensic investigation.  


Organizations that are equipped to perform full packet captures of traffic may be able to resolve this weakness by capturing data in conjunction with collecting netflow data, once netflow records have been used to detect an issue.


George talks about the benefits of this subject in Issue 6 of DFM - out in Feb 2011 - subscribe today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 31 on sale from May 2017:


DDOS Attacks on Mobile Devices

Denial of service attacks (DoS), distributed denial of service attacks (DDoS) and reflector attacks (DRDoS) are well known and documented. More recently however we have seen that these attacks have been directed at mobile communication devices.  Read More »

Advancements in Windows Hibernation File Forensics

Brian Gerdon looks at how the windows hibernation files can be a valuable source of information for digital forensic investigators. Read More »

Subscribe today


Testing Damage Sustainability on SD Cards

A growing number of companies and agencies are now specializing in repair and recovery of data and not on the forensic examination of the data. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue