NetFlow / sFlow / IPFIX Records
Location
NetFlow collector (e.g., nfdump files, SiLK repository, or SIEM ingestion)Description
Network flow metadata records summarizing each connection with source/destination IP, ports, protocol, byte count, packet count, TCP flags, and duration without full payload content.
Forensic Value
Flow data provides long-term network visibility where full PCAP retention is not feasible due to storage costs. Flow records reveal C2 beaconing patterns through periodic connections of consistent size and interval to the same destination. Large outbound byte counts to unusual destinations indicate data exfiltration. Lateral movement appears as new internal-to-internal flows on management ports (RDP 3389, SMB 445, SSH 22) that did not exist before the compromise window.
Tools Required
Used in Procedures
Related Blockers
No PCAP or NetFlow Data Available
There is no packet capture, NetFlow, or network metadata available for the timeframe of interest. Without network data it is difficult to confirm data exfiltration volumes, C2 channel details, or lateral movement paths.
Need Data from External Vendor or MSP
Critical evidence resides with a third-party managed service provider, SaaS vendor, or hosting company. Your team has no direct access and must navigate contractual, legal, and technical hurdles to obtain logs or images.
Legal Requesting Preservation Conflicts with Containment
Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.
Backups May Be Compromised -- Cannot Trust for Recovery
Backup integrity is uncertain. The attacker may have been present in the environment long enough to have compromised backup copies, planted persistence mechanisms in backup images, or encrypted/deleted backup repositories.