Duration:
5 days
Audience:
Employees of federal, state and local governments; and businesses working with the government.
Learn to identify and capture suspicious data and patterns in seemingly unsuspicious traffic.
In this course, you will develop the skills not only to capture suspicious data, but also to discern unusual patterns hidden within seemingly normal network traffic. You will gain a set of investigative techniques focused on the use of vendor-neutral, open source tools to provide insight into:
- Forensics analysis fundamentals
- Data recorder technology and data mining
- Network security principles, including encryption technologies and defensive configurations of network infrastructure devices
- Security threat recognition for a variety of common network attack and exploit scenarios, including network reconnaissance techniques, Bot-Net threat recognition, and man-in-the-middle attacks, and common user protocol vulnerabilities, such as IP-related protocols (IP/TCP, DNS, ARP, ICMP), e-mail protocols (POP/SMTP/IMAP), and other common Internet-based user protocols
- Open source network forensics tools
- Specialized network forensics analysis techniques, including suspicious data traffic reconstruction and viewing techniques
Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide practical forensics analysis skills.
You will receive:
- Training binder with numerous reference Wireshark trace files
- DVD of networking and forensics tools
- Library of network forensics analysis reference documents
You are required to bring your own laptop.
What You’ll Learn
- Principles of network forensics analysis and how to apply them
- Configure various open source tools for network forensics analysis
- Utilize tools to recognize traffic patterns associated with suspicious network behavior
- Reconstruct suspicious activities such as e-mails, file transfers, or web browsing for detailed analysis and evidentiary purposes
- Recognize potential network security infrastructure misconfigurations
Who Needs to Attend
- Network engineers, network security professionals, who possess basic- to intermediate-level general security and networking knowledge
- Personnel who have working knowledge of host-based forensics analysis and want to gain expertise in the end-to-end digital forensics process
Prerequisites
- Familiarity with TCP/IP networking and basic network infrastructure devices such as switches, routers, etc.
- Cybersecurity Foundations
- Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory (M6426)
- Troubleshooting TCP/IP Networks with Wireshark
Course Outline
1. Introduction tNetwork Forensic Analysis
- History of Network Forensics Analysis
- Answering the Five Key Questions
- Six-Step Network Forensics Analysis Methodology
2. Data Capture and Statistical Forensics Analysis
- Data Collection
- Case Study 1: Firewall Capture and the Welchia Worm Penetration
- Technology Challenges: Forensics Analysis in Wired and WLAN Environments
- Forensic Evaluation of Statistical Network Data
- Forensics Analysis Using Expert Systems
- Forensic Coloring and Filtering Techniques
- Case Study 2: Locating Key Text Strings and Identifying Information
- Tracking and Reconstructing Packet and Data Flows
- Case Study 3: Reconstructing Suspicious Multiple Segment Conversations
3. Forensics Analysis of Network Applications and User Traffic
- Common Networking Protocols and Their Vulnerabilities
- Forensics Analysis of IP
- Forensic Analysis of DNS
- Case Study 4: The Kaminsky DNS Vulnerability
- Internet Control Message Protocol (ICMP) and Network Forensics
- Case Study 5: Whis Knocking on the Door? Identifying a Network Mapping Intrusion
- Forensics Analysis of TCP
- Case Study 6: Determining the Source of a TCP SYN Flood Attack
- Forensic Analysis of User Traffic and Common User Protocol Exploits
- Case Study 7: Putting it All Together
Appendix 1: Forensic Analysis Reference Information
Appendix 2: Baseline Forensics Trace Files