Network Forensics

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. 

Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Our Network Forensics service is designed to equip cybersecurity professionals and IT teams with the skills and knowledge to conduct in-depth investigations, analyse network traffic, and uncover potential security breaches. 

Our service focuses on empowering your team with advanced techniques and methodologies to gather critical digital evidence, understand attack vectors, and reconstruct the sequence of events surrounding a cybersecurity incident.

Participants Will Able To Learn:

• How to extract files from network packet captures and, how to analyse these files for.
• How to use NetFlow data to identify relevant past network occurrences.
• How to include log data into a comprehensive analytic process, filling knowledge gaps.
• How attackers leverage man-in-the-middle tools to intercept seemingly secure communications.

Who Should Attend?

• All employees who want to know how to detect, investigate, repair, and recover the compromised systems at the end points of the organization with data to be collected over the network. Especially for:
• Information Security Professionals
• SOC Analysts
• Incident Response Team Members
• Blue Team Members

Course Syllabus:

• Basic Network Forensics Tools:
• tcpdump
• pcap file format
• Berkeley Packet Filter (BPF)
• Data reduction
• Useful command-line parameters
• Wireshark
• User interface
• Display filters
• Useful features for network forensic analysis
• Network Evidence Acquisition
• full-packet capture
• Logs
• NetFlow
• Capture devices:
• Switches
• taps
• Layer 7 sources
• NetFlow
• Hypertext Transfer Protocol (HTTP)
• Request/response dissection
• Useful HTTP fields
• HTTP tracking cookies
• Log formats
• Expanded mod_forensic logging
• Domain Name Service (DNS):
• Tunnelling
• Logging methods
• Firewall, Intrusion Detection System, and Network Security Monitoring Logs
• Firewalls
• Families of firewall solutions
• Syntax and log formats
• Intrusion Detection Systems (IDS) and Network Security Monitoring (NSM) Platforms
• Rules and signatures
• Families of IDS and NSM solutions
• Zeek NSM
• Basics and use cases
• Logging
• Signature engine
• Logging Protocol and Aggregation
• Syslog
• Microsoft Eventing
• Log Data Collection, Aggregation, and Analysis
• SOF-ELK Platform
• Basics and pros/cons of the Elastic stack
• NetFlow Collection and Analysis
• NetFlow
• NetFlow artefacts useful for examining encrypted traffic
• Open-Source Flow Tools
• Using open-source tool sets to examine NetFlow data
• SiLK
• nfcapd, nfpcapd, and nfdump
• SOF-ELK: NetFlow ingestion and dashboards
• SSL/TLS
• Encoding algorithms
• Encryption algorithms
• Symmetric & Asymmetric
• Profiling SSL/TLS connections with useful negotiation fields
• and more