In his presentation Yann Berthier introduces Netflows as an information source for network forensics.
In times of Gigabit-Ethernet it is almost impossible to handle complete captures of network traffic. Flows offer themselves as an alternative source of information. But one should not forget that flows were invented for network analysis and not for network forensics, though.
In his presentation (PDF) for Hack.lu 2005 Yann Berthier explains the basics of netflows. He describes how to configure a router to generate flows, export and collect the data at a central node. Finally he shows ways to analyze the data in view of typical questions of a forensic investigation.