NetFlow
Definition
A network protocol (originally Cisco, now standardised as IPFIX under RFC 7011) that records metadata about IP traffic flows: source and destination IP, port, protocol, byte count, and duration. NetFlow does not capture packet content but is far less storage-intensive than full packet capture and is adequate for many investigative queries.
Related terms
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- DHCP lease log
- A record maintained by a Dynamic Host Configuration Protocol server that maps each IP address assignment to the requesting device's MAC address,...
- Hypothesis testing
- In digital forensics, the practice of forming a specific, falsifiable proposition about what occurred (such as 'the attacker used account X to...
- Intrusion Detection System (IDS)
- A network or host-based monitoring system that analyses traffic or system behaviour against a rule set (signature-based) or a statistical baseline (anomaly-based)...
- Link analysis
- A graph-based analytical technique that maps entities (IP addresses, domains, accounts, phone numbers, wallets) as nodes and relationships (communications, ownership, transactions) as...
- PCAP (packet capture)
- A file format (and the process of creating it) that records every byte of every network packet passing a capture point, including...
- RADIUS log
- An authentication, authorisation, and accounting record produced by a Remote Authentication Dial-In User Service server. Each entry records the username, authenticating device...
- SIEM (Security Information and Event Management)
- A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...
- Syslog
- A standardised protocol (RFC 5424) for transmitting log messages from network devices to a centralised log server. Routers, switches, firewalls, and servers...
- Timeline reconstruction
- The process of ordering digital events from multiple sources into a single chronological account. Requires normalising all timestamps to a common reference...
Explained in these topics
- Cyber Investigation Tools and Analytical WorkflowA network protocol (originally Cisco, now standardised as IPFIX under RFC 7011) that records metadata about IP traffic flows: source and destination IP, port,...
- Network Evidence Sources and Their Forensic ValueA network protocol developed by Cisco for collecting IP traffic flow metadata. Each flow record captures source and destination IP addresses, port numbers, pro...