Tom Cross and I had a great time presenting and spending time with the incident responders at SANS Digitial Forensics and Incident Response Summit in Austin, TX this year. The deck we used is now available for download here: It was titled "Hunting Attackers with Network Audit Trails" and covered open source and commerical tools for processing NetFlow/IPFIX for forensic purposes.