Posts in Forensics
Visualizing Netflow data

This is the first post in a series on visualizing Netflow data. The post starts with some basic Netflow concepts and some guidelines to setup an environment to reproduce the samples in these posts. After this, we'll be using FlowPlotter to create our first visualizations.

What is Netflow?
Netflow data is a recording of all traffic passing a certain network interface or device and can be invaluable during Incident Response and forensic investigations. Unlike full packet captures (FPC), Netflow only contains the meta-data from the network traffic.

Read More
New version of VolWeb

I've been playing around with the script I've created in the previous blog post and I'm starting to think that there is some real potential in a web interface for Volatilty. So I've made some improvements to the script to make it more functional.

Read More
VolShell For The Web!

So we're up for the second blogpost, it took me almost a year to get another one out. But as always, I try to focus on quality over quantity ;-). Again, the object of my affection is Volatilty, an amazingly flexible tool to perform memory analysis. For this sample I've used Volatility 2.2, but this will probably work on other versions as well.

Read More
Automating Volatility

When I use Volatility I'm always amazed of the amount of forensic information that is available just from memory. Volatility comes with a large amount of plugins that make it very easy to get that information out of a memory image without extensive knowledge on how memory actually is organized.

Read More