NetflOSINT: Taking an often-overlooked data source and operationalizing it

Presented at Kernelcon 2022, April 2, 2022, 10:15 a.m. (60 minutes)

When we think Network Forensics, we often immediately gravitate toward packet captures (PCAPs) and logs from routing devices. There is no disputing the importance and value in either, but this leaves another source frequently overlooked – enter Netflow. Many devices natively generate Netflow or IPFIX, but do we really analyze the data?

Many may be aware, but what if you were told that there are tools to extract Netflow data FROM PCAPs? This provides a means of more efficient statistic and in-depth analysis using a variety of methods with smaller files to help gain context in what to query or follow in PCAP streams.

This presentation will include demonstrations in Microsoft Excel, ELK, and Jupyter notebooks to allow a simple jumping point for integration into other aspects of an investigation using OSINT vectors.

Presenters:

• Joe Gray
  Joe Gray, a veteran of the U.S. Navy Submarine Force, is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. As a member of the Password Inspection Agency, Joe has consistently performed well in Capture the Flag events, specifically those involving OSINT. Examples include Winning the TraceLabs OSINT Search Party during DEFCON 28 (as a member of The Password Inspection Agency) and DEFCON 29 (as a member of The Federal Bureau of OH-SHINT). Joe’s book, Practical Social Engineering, is due in mid 2022 via NoStarch Press.

Similar Presentations:

• DEF CON 16 (2008) / Malware Detection through Network Flow Analysis