5.6 Conclusion

Statistical flow record analysis is becoming increasingly important for forensic analysis, as the rate of network traffic generated and the volume of data stored far outpaces the rate at which investigators can process and analyze full packet captures. Although flow records were originally generated for the purposes of monitoring and improving network performance, in recent years investigators have begun to recognize that they are excellent sources of network-based forensic evidence as well.

A variety of sensor, collector, aggregation, and analysis tools exist, ranging from proprietary to free and open-source tools. One of the biggest challenges forensic investigators face is ensuring that the formats used by sensors and collectors are compatible with the analysis tools chosen for the investigation. As the industry matures, there have been movements to standardize flow record exportation formats, but support for flow record export formats is still fragmented and many older tools exist that rely on older protocols. Forensic investigators also need to consider the placement and type of flow sensors and collectors throughout the network environment in order to determine whether the evidence needed is already being collected, or w....