Cybersecurity Investigations and Network Forensics Analysis

Practical Techniques for Analyzing Suspicious Network Traffic


5 days


Employees of federal, state and local governments; and businesses working with the government.

Learn to identify and capture suspicious data and patterns in seemingly unsuspicious traffic.

In this course, you will develop the skills not only to capture suspicious data, but also to discern unusual patterns hidden within seemingly normal network traffic. You will gain a set of investigative techniques focused on the use of vendor-neutral, open source tools to provide insight into:

  • Forensics analysis fundamentals
  • Data recorder technology and data mining
  • Network security principles, including encryption technologies and defensive configurations of network infrastructure devices
  • Security threat recognition for a variety of common network attack and exploit scenarios, including network reconnaissance techniques, Bot-Net threat recognition, and man-in-the-middle attacks, and common user protocol vulnerabilities, such as IP-related protocols (IP/TCP, DNS, ARP, ICMP), e-mail protocols (POP/SMTP/IMAP), and other common Internet-based user protocols
  • Open source network forensics tools
  • Specialized network forensics analysis techniques, including suspicious data traffic reconstruction and viewing techniques

Throughout the course, real-world examples in conjunction with numerous hands-on exercises will provide practical forensics analysis skills.

You will receive:

  • Training binder with numerous reference Wireshark trace files
  • DVD of networking and forensics tools
  • Library of network forensics analysis reference documents

You are required to bring your own laptop.

What You’ll Learn

  • Principles of network forensics analysis and how to apply them
  • Configure various open source tools for network forensics analysis
  • Utilize tools to recognize traffic patterns associated with suspicious network behavior
  • Reconstruct suspicious activities such as e-mails, file transfers, or web browsing for detailed analysis and evidentiary purposes
  • Recognize potential network security infrastructure misconfigurations

Who Needs to Attend

  • Network engineers, network security professionals, who possess basic- to intermediate-level general security and networking knowledge
  • Personnel who have working knowledge of host-based forensics analysis and want to gain expertise in the end-to-end digital forensics process


  • Familiarity with TCP/IP networking and basic network infrastructure devices such as switches, routers, etc.
  • Cybersecurity Foundations
  • Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory (M6426)
  • Troubleshooting TCP/IP Networks with Wireshark

Course Outline

1. Introduction tNetwork Forensic Analysis

  • History of Network Forensics Analysis
  • Answering the Five Key Questions
  • Six-Step Network Forensics Analysis Methodology

2. Data Capture and Statistical Forensics Analysis

  • Data Collection
    • Case Study 1: Firewall Capture and the Welchia Worm Penetration
  • Technology Challenges: Forensics Analysis in Wired and WLAN Environments
  • Forensic Evaluation of Statistical Network Data
  • Forensics Analysis Using Expert Systems
  • Forensic Coloring and Filtering Techniques
    • Case Study 2: Locating Key Text Strings and Identifying Information
  • Tracking and Reconstructing Packet and Data Flows
    • Case Study 3: Reconstructing Suspicious Multiple Segment Conversations

3. Forensics Analysis of Network Applications and User Traffic

  • Common Networking Protocols and Their Vulnerabilities
  • Forensics Analysis of IP
  • Forensic Analysis of DNS
    • Case Study 4: The Kaminsky DNS Vulnerability
  • Internet Control Message Protocol (ICMP) and Network Forensics
    • Case Study 5: Whis Knocking on the Door? Identifying a Network Mapping Intrusion
  • Forensics Analysis of TCP
    • Case Study 6: Determining the Source of a TCP SYN Flood Attack
  • Forensic Analysis of User Traffic and Common User Protocol Exploits
    • Case Study 7: Putting it All Together

Appendix 1: Forensic Analysis Reference Information

Appendix 2: Baseline Forensics Trace Files


Lab 1: Getting Acquainted: Just How is Data Out There?

Lab 2: Analyzing Node and Protocol Statistics for Suspicious Activities

Lab 3: Statistical Assessment of the Network

Lab 4: Protocol and Conversation Forensic Analysis

Lab 5: A Tale of Two Networks

Lab 6: Advanced Filtering for Forensic Analysis

Lab 7: Diagramming a Conversation: Packets Never Lie

Lab 8: Evaluating IP Security

Lab 9: Forensic Analysis of DNS

Lab 10: Forensic Analysis of ICMP

Lab 11: Forensic Analysis of TCP

Lab 12: Forensic Analysis of User Traffic

Lab 13: VoIP Call Interception and Playback

Lab 14: Application Reconstruction: E-mail / Web / Instant Messenger / File Transfers

Lab 15: What is Happening to My E-mail Server?

Lab 16: Who is Scanning the Network?

Lab 17: What a Mess! Multiple Threats and Simultaneous Attacks