NETWORK FORENSICS TRAINING COURSE DESCRIPTION
This course studies network forensics-monitoring and analysis of network traffic
for information gathering, intrusion detection and legal evidence. We focus on
the technical aspects of network forensics rather than other skills such as
incident response procedures etc.. Hands on sessions follow all the major
sections.
WHAT WILL YOU LEARN
* Recognise network forensic data sources.
* Perform network forensics using:
Wireshark
NetFlow
Log analysis
* Describe issues such as encryption.
NETWORK FORENSICS TRAINING COURSE DETAILS
* Who will benefit:
Technical network and/or security staff.
* Prerequisites:
TCP/IP foundation for engineers.
* Duration
3 days
NETWORK FORENSICS TRAINING COURSE CONTENTS
* What is network forensics?
What it is, host vs network forensics, purposes, legal implications, network
devices, network data sources, investigation tools.
Hands on whois, DNS queries.
* Host side network forensics
Services, connections tools.
Hands on Windows services, Linux daemons, netstat, ifoconfig/ipconfig, ps and
Process explorer, ntop, arp, resource monitor.
* Packet capture and analysis
Network forensics with Wireshark, Taps, NetworkMiner.
Hands on Performing Network Traffic Analysis using NetworkMiner and
Wireshark.
* Attacks
DOS attacks, SYN floods, vulnerability exploits, ARP and DNS poisoning,
application attacks, DNS ANY requests, buffer overflow attacks, SQL injection
attack, attack evasion with fragmentation.
Hands on Detecting scans, using nmap, identifying attack tools.
* Calculating location
Timezones, whois, traceroute, geolocation. Wifi positioning.
Hands on Wireshark with GeoIP lookup.
* Data collection
NetFlow, sflow, logging, splunk, splunk patterns, GRR. HTTP proxies.
Hands on NetFlow configuration, NetFlow analysis.
* The role of IDS, firewalls and logs
Host based vs network based, IDS detection styles, IDS architectures,
alerting. Snort. syslog-ng. Microsoft log parser.
Hands on syslog, Windows Event viewer.
* Correlation
Time synchronisation, capture times, log aggregation and management,
timelines.
Hands on Wireshark conversations.
* Other considerations
Tunnelling, encryption, cloud computing, TOR.
Hands on TLS handshake in Wireshark.