CyberSecurity Investigation & Network Forensic Analysis

Practical Techniques for Analyzing Suspicious Network Traffic for Network Engineers (MK)

Duration:

5 Days

Audience:

This course is designed for Network Engineers, Security and Law Enforcement Personnel that possess a basic to intermediate general security and networking knowledge. Successful completion of this course will provide these individuals with a path-way into the field of Network Forensics Analysis. Personnel that already possess a working knowledge of Host-based Forensics Analysis should also attend this course as a means of gaining expertise in the End-to-End Digital Forensics process.

Employees of federal, state and local governments; and businesses working with the government.

Recommended Course Prerequisites:

For maximum effectiveness, attendees should have at least basic familiarity with TCP/IP networking and basic network infrastructure devices such as Switches, Routers, etc. Attendees will also be required to bring their own laptop. Completion of the course of instruction “Introduction to Network and Forensics Analysis” may be substituted.

Course Description:

Network Forensics Analysis encompasses the skills of not only capturing suspicious data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate techniques focusing on the use of vendor-neutral, Open-Source Tools to provide insight into the following areas:

Forensics Analysis fundamentals
Data Recorder technology and data-mining
Network security principles including encryption technologies and defensive configurations of network infrastructure devices
Security threat recognition for a variety of network attack and exploit scenarios including network reconnaissance techniques, Bot-Net threat recognition and man-in-the-middle attacks as well as common user protocol vulnerabilities including IP related Protocols (IP(v4/v6) / TCP, DNS/DNSSec, ARP, ICMP), Email Protocols (POP / SMTP / IMAP) and other, common Internet based User Protocols (HTTP, NNTP, IRC, IM)
Open-Source Network Forensics Tools
Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques.
Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical Forensics Analysis skills. Attendees will receive a training binder including numerous reference Wireshark trace files and a DVD with networking and forensics tools, as well as a library of Network Forensics Analysis reference documents.

Course Objectives:

As a result of successful completion of this workshop, participants will be able to:

Understand the principles of Network Forensics Analysis and how to apply them
Select and configure various Open-Source tools for Network Forensics Analysis to capture and recognize traffic patterns associated with suspicious network behavior
Reconstruct suspicious activities such as Emails, file transfer or Web-Browsing for detailed analysis and evidentiary purposes
Understand and recognize potential network security infrastructure mis-configurations

Course Outline:

Introduction To Network Forensic Analysis

Overview and history of Network Forensics Analysis
Answering the key incident questions
Six step Network Forensics Analysis Methodology

Collecting the Data – Data Capture and Statistical Forensics Analysis

Data Collection

Location –How Network Infrastructure Devices Affect Forensics Analysis
- Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU
Stealth / Silent Collection of Data – Tips & Techniques

Case Study #1 – Firewall Capture and the Welchia Worm penetration
Hands-on Lab / Exercise #1 – Getting Acquainted – Just how Much Data is out There?

Technology Challenges – Forensics Analysis in Wired and WLAN Environments

Layer 2 vs. Layer 3 vs. Later 4 Addressing
IEEE 802.3 Ethernet vs. IEEE 802.11 Frame Formats
Using Names as a Forensics Analysis Aid
WLAN Device Analysis
Forensic Assessment of key Protocol Statistics

Hands-on Lab / Exercise #2 – Analyzing Node and Protocol Statistics for suspicious activitiesa

Forensic Evaluation of Statistical Network Data

Assessment of Key Network and Forensics Statistics
Analyzing the 3 Different Network Communication Architectures
Analyzing Suspicious Conversations and Activities – What’s a Bot-Net?
Interpreting Protocol Decodes and Packet File Navigation Tips including advanced search functions

Hands-on Lab / Exercise #3 – Statistical Assessment of the Network
Hands-on Lab / Exercise #4 – Protocol and Conversation Forensic Analysis

Forensics Analysis Using Expert Systems

Using Expert Systems to Determine Suspicious Activity
Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to identify suspicious behavior

Hands-on Lab / Exercise #5 –A Tale of Two Networks

Forensic Coloring and Filtering Techniques

Constructing and Applying Specialty Forensics Coloring Rules and advanced Specialty Forensics Filters
Importing / Exporting Filters and Coloring Rules

Case Study #2 – Locating key Text-Strings & Identifying Information
Lab / Hands-on Exercise #6 – Advanced Filtering for Forensic Analysis

Tracking and Reconstruction of Packet and Data Flows

Diagramming and Interpreting a Conversation
Packet Flow Reconstruction and Analysis
Deep-Level Forensic Analysis of Packet Contents

Case Study #3 – Reconstructing Suspicious Multiple Segment Conversations
Lab / Hands-on Exercise #7 – Diagramming a Conversation – Packets Never Lie

Forensics Analysis of Network Applications and User Traffic

Introduction to Common Networking Protocols and Their Vulnerabilities

What’s Normal vs. Abnormal – The Role of Baseline Files
Building a Baseline Library – Where Do I go to Find Out?

Forensics Analysis of IP

Structure and Analysis of IPv4 vs. IPv6
IP Fragmentation, IP Header Checksums and Forensic analysis of IPv4 Option fields
Common IP Exploits and Examples of Intrusion Signatures
IP Tunnel Attacks – What’s the Big Deal?

Hands-on Lab / Exercise #8 – Evaluating IP Security

Forensic Analysis of DNS

Structure and Analysis of DNS vs. DNSsec and LMNR
Analyzing DNS Messages and DNS Exploits

Hands-on Lab / Exercise #9 – Forensic Analysis of DNS
Case Study#4 – The Kaminsky DNS Vulnerability

Internet Control Message Protocol (ICMP) and Network Forensics

Structure and Analysis of ICMPv4 vs. ICMPv6
Analyzing ICMP Messages and Suspicious ICMP Traffic Analysis

Hands-on Lab / Exercise #10 – Forensic Analysis of ICMP
Case Study#5 – Who is Knocking on the Door – Identifying a Network Mapping Intrusion

Forensics Analysis of TCP

Structure and Analysis of TCP
TCP Header Checksums and Forensic Analysis of TCP Option fields
Common TCP Exploits and Examples of Intrusion Signatures

Hands-on Lab / Exercise #11 – Forensic Analysis of TCP
Case Study#6 – Determining the Source of a TCP SYN Flood Attack

Forensic Analysis of User Traffic and Common User Protocol Exploits

Email Applications Using POP / SMTP / IMAP
Web-Based Applications Using HTTP
VoIP Applications
Instant Messenger Applications

Hands-on Lab / Exercise#12 – Forensic Analysis of User Traffic
Hands-on Lab / Exercise#13 – VoIP Call Interception and Playback
Hands-on Lab / Exercise#14 – Application Reconstruction – Email / Web / Instant Messenger / File Transfers
Case Study#7 – Putting it all Together

Challenge Hands-on Labs / Exercises 13-15

Hands-on Lab / Exercise#15 –What is Happening to my Email Server?
Hands-on Lab / Exercise#16 – Who is Scanning the Network
Hands-on Lab / Exercise#17 – What a Mess! – Multiple Threats and Simultaneous Attacks

Appendix 1 – Forensic Analysis Reference Information
Appendix 2 – Baseline Forensics Trace Files
Appendix 3 – Protocol Options Reference

Training dates for this course are available.

Can't find the training that you're looking for?

Have questions or need more information?

Cyber Security Investigation and Network Forensic Analysis