dfm covers
 
 

Netflow Forensics

Netflow Forensics

George Bailey


Innocent or Guilty


Introduction

Digital forensics is an ever-changing discipline involving technology, processes and classic investigative skills.  Digital forensic examiners are in a constant race to stay one step ahead of the bad guys; always looking for new ways to uncover evidence of probative value.  This paper discusses the challenges and benefits to using netflow data in digital forensic investigations.  Suggestions are provided in order to increase the value of using netflow data as a source of supporting evidence in digital forensic investigations. However, the reader should know that netflow data is not currently considered a strong enough source of evidence by itself, as many new forensic breakthroughs aren’t.  


Netflow

Netflow is the common name for Internet Protocol Flow Information eXport or IPFIX for short; and is used to monitor application specific traffic as it traverses a network.  Ratified as an Internet Engineering Taskforce (IETF) standard in January 2008 (Claise, 2008), netflow or IPFIX monitoring has become a common feature on all enterprise class routers; although each vendor may have its own name and/or proprietary format for implementing the IPFIX standard, such as Jflow for Juniper Network devices and sFlow for Brocade network devices. 


Netflow data or flow records can be generated by a routing or switching device as the traffic naturally flows through the network.  The flow summary records are then ‘exported’ or sent over the network to a collector for analysis and storage.  Once netflow data has been exported to the collector it is permanently discarded by the exporting device.   The netflow collector is a service that is listening on a remote server that collects, processes and stores the netflow records.  Many network monitoring companies (e.g., Solarwinds, Netscout, and Plixer) have commercial offerings in the netflow analysis space; however, there are open source solutions also available.  A typical network flow contains several pieces of information that would be of interest during a digital forensic investigation.  The seven default fields that comprise a network flow are the source and destination IP addresses, source and destination ports, IP protocol in use, ingress interface and the IP type of service (Cisco, n.d).  Once a unique netflow is detected by observing the above seven attributes the exporter will also capture the start and finish time of the flow, as well as the number of packets and bytes observed (Cisco, 2008).  The netflow record itself does not contain any content of the observed traffic; this could prove to be a sore point in a forensic investigation.  


Organizations that are equipped to perform full packet captures of traffic may be able to resolve this weakness by capturing data in conjunction with collecting netflow data, once netflow records have been used to detect an issue.


George talks about the benefits of this subject in Issue 6 of DFM - out in Feb 2011 - subscribe today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 39 on sale from February 2019:


Making Sense of Digital Forensic International Standards

To many the complexity of Standards, their numbering and obscure contents fail to make practical sense and confuse the entry points for effective use. A roadmap is provided in this paper for Standard information access and optimal use. Read More »

Evidentiary Challenges: Social media, the Dark Web, and Admissibility

This article takes a look at two categories of remote evidence: social media, and the dark web. We will also examine two interesting cases: The Target store credit card breach; and the civil case of Fero v Excellus Health Plan, Inc. Read More »

Subscribe today


Vehicle Data Forensics on Unsupported Systems

The article will help readers understand how to approach a vehicle from a digital forensics’ perspective, it will cover a range of infotainment units from popular manufacturers, data extraction methods and examples of data types found which may be considered intelligence and or used as digital evidence. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue