Tutorial: Introduction to Network Forensics - using Netflow and Nfsen as a forensic tool

When: Monday, 21 February 2011 at 09:00 (UTC+8)
Where: HKCEC S227
Speakers: Cecil Goldstein (Team Cymru) [bio]

Access to the slides (6.6 MB) are provided only to APRICOT Delegates. Please contact cgoldstein@cymru.com and provide your registration ID to obtain the password.

This tutorial provides a very basic introduction to the Netflow protocol and its application as a forensic tool. The structure and generation of netflow data will be discussed. Similarly the operation of Nfsen as a security tool will be examined.

Participants will use an example of a real (anonymised) dataset to examine and analyse the flow traffic and to work through a number of incident scenarios:

  • Set Nfsen alert and triggers
  • Define Nfsen stats
  • Use Nfsen filters to find top talkers, web, ftp and dns servers, port scanners, top protocols
  • Track an identified infected host
  • Investigate a reported attack coming from your network
  • Monitor your network for a reported scanning activity using a recently identified vulnerability

It is intended, if feasible, to include hands-on exercises in this tutorial and participants are asked to bring their own laptops.

About the Presenter

Cecil Goldstein

Cecil is the Team Cymru Training Practice Manager. Based in Brisbane, Cecil was previously the Training Manager at APNIC, responsible for developing and delivering their training program largely in the developing and under-­‐developed countries of the Asia Pacific region.

Before joining APNIC, Cecil was a lecturer in the Faculty of Information Technology at the Queensland University of Technology, focusing particularly on internetworking subjects.

He has been involved in Internet training and support from the initial AARNET days and co-­‐authored the first guide to using the Internet (AARNet) in Australia, "Getting the Most out of AARNet".

He has strong passions about keeping the Internet safe, free and working as well as strengthening its accessibility and usability in the developing world.