dfm covers
 
 

Netflow Forensics

Netflow Forensics

George Bailey


Innocent or Guilty


Introduction

Digital forensics is an ever-changing discipline involving technology, processes and classic investigative skills.  Digital forensic examiners are in a constant race to stay one step ahead of the bad guys; always looking for new ways to uncover evidence of probative value.  This paper discusses the challenges and benefits to using netflow data in digital forensic investigations.  Suggestions are provided in order to increase the value of using netflow data as a source of supporting evidence in digital forensic investigations. However, the reader should know that netflow data is not currently considered a strong enough source of evidence by itself, as many new forensic breakthroughs aren’t.  


Netflow

Netflow is the common name for Internet Protocol Flow Information eXport or IPFIX for short; and is used to monitor application specific traffic as it traverses a network.  Ratified as an Internet Engineering Taskforce (IETF) standard in January 2008 (Claise, 2008), netflow or IPFIX monitoring has become a common feature on all enterprise class routers; although each vendor may have its own name and/or proprietary format for implementing the IPFIX standard, such as Jflow for Juniper Network devices and sFlow for Brocade network devices. 


Netflow data or flow records can be generated by a routing or switching device as the traffic naturally flows through the network.  The flow summary records are then ‘exported’ or sent over the network to a collector for analysis and storage.  Once netflow data has been exported to the collector it is permanently discarded by the exporting device.   The netflow collector is a service that is listening on a remote server that collects, processes and stores the netflow records.  Many network monitoring companies (e.g., Solarwinds, Netscout, and Plixer) have commercial offerings in the netflow analysis space; however, there are open source solutions also available.  A typical network flow contains several pieces of information that would be of interest during a digital forensic investigation.  The seven default fields that comprise a network flow are the source and destination IP addresses, source and destination ports, IP protocol in use, ingress interface and the IP type of service (Cisco, n.d).  Once a unique netflow is detected by observing the above seven attributes the exporter will also capture the start and finish time of the flow, as well as the number of packets and bytes observed (Cisco, 2008).  The netflow record itself does not contain any content of the observed traffic; this could prove to be a sore point in a forensic investigation.  


Organizations that are equipped to perform full packet captures of traffic may be able to resolve this weakness by capturing data in conjunction with collecting netflow data, once netflow records have been used to detect an issue.


George talks about the benefits of this subject in Issue 6 of DFM - out in Feb 2011 - subscribe today!



 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

George Bailey

George Bailey is an IT security professional with over 15 years of experience

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 41 on sale from November 2019:


Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today


Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue