Network Forensics
BT211
Table of Contents
Description
Network forensics training is about the analysis of network traffic to identify intrusions or anomalous activity. Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable and therefore requires a different approach.
This course sets the groundwork for understanding networks and the investigation process on them. Participants will master the fundamentals of conducting forensic analysis in a network environment. This course will incorporate demonstrations and lab exercises to reinforce hands-on capabilities.
How to make the most of this course?
In order to succeed in the course, the following requirements must be met:
- Participation in all practical laboratories
- Self-work at home between lessons
- Repetition of materials, self-learning, performing tasks, etc…
In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.
Target audience
This course addresses those with basic knowledge of:
- Law enforcement officers & intelligence corps
- Incident responders
- Computer investigators
- IT/network administrators
- IT security personnel
- Junior cyber forensics analysts
Objectives
- Detecting various types of computer and network incidents
- Analyzing network artifacts left on a compromised system
- Understanding alerts and advisories
- Responding to incidents
- Performing network traffic monitoring and analyzing logs
- Learning to work with different tools
Pre-requisites
Syllabus
Description
During this module, participants will learn how to read packets of data, perform file carving, and identify suspicious activity on the network. Participants will get an insight into how an attack on the network is carried out and how it can be identified. Participants will be tasked with constructing essential defensive tools that will raise alerts when the system is attacked.
Technical content
- Understanding Network Components
o Understanding Network-Based Firewalls
▪ Packet Filter
▪ Common IDS
o Traffic Analysis
o Understanding Packet Structure
▪ Packet Analysis
o HAProxy
o EtherApe
o Wireshark
▪ Acquaintance with Wireshark
▪ Statistics
▪ TCP Stream
▪ Understanding Coloring Rules
▪ View Options on Packets
▪ Dive Into Common Protocols
Description
During this module, participants will understand the challenges of investigating network-based cases. Participants will practice using various tools and investigation methodologies to correlate data and collect evidence.
Technical content
- Network Forensics Investigation Process
o Automation skills
▪ TCPDump
▪ Extraction of Credentials
▪ Export Objects
o MiTM Attack
▪ Methods
▪ Different Uses
▪ Common MiTM Tools
▪ Create your Attack
o Find Network Anomalies
o Flow Analysis
o Network File Carving
▪ Wireshark
▪ NetworkMiner
▪ Foremost with Special Configuration
o Discovering Network Tunnels
Description
During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Participants will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field.
Technical content
- Advanced Network Analysis
o Advanced Wireshark
▪ Streams Analysis
▪ Advanced Incident Investigation
▪ Investigate Uncommon Communications
▪ Decrypting SSL/TLS traffic
▪ Find Malware and Analysis Process
o Advanced Tshark
▪ Single and Multi-Pass Filters
▪ Automating
▪ Payload Investigation - Zeek
o Output Logs
o Automating Process
o Monitoring Data into Logs
o Zeek-Cut Parsing - VoIP Analysis
o VoIP Protocol
o VoIP Traffic Analysis
o VoiceMail
o SIP Messaging
o DTMF
o VoIP Call Decryption
o Custom Wireshark Plugin
o VoIP REGISTER Message Analysis
o Hash Extraction
o Password Cracking
Description
In this module, participants will learn how to deploy automatic data analyzers, using preset rules or craft custom rule-sets to alert and block on detection of suspicious traffic.
Technical content
- IPS vs. IDS
o Essential Intrusion Detection Tools and Methods
▪ Installing and Configuration Sysmon
▪ File Hashes
▪ Windows Events Log
▪ Analyzing and Filtering Events
▪ Network Events
o IDS/IPS Analysis
▪ Hardware vs. Software Components
▪ IDS/IPS Operation Process
▪ IDS/IPS Configuration
▪ Snort
o Rules System
o Operation with Firewall and Networks
o Advanced Snort Configuration
o Using and Updating Built-In Rules
Description
In this module, participants will summarize investigation findings and convey the results in a report. It must be understandable, factual and defensible in detail following general forensic principles.
Technical content
- Report Writing
o Reason for Investigation
o Evidence Examined
o Description of Investigation
o Details of Finding
Recovered Files Network Access Logs Cache Files Network Traffic Logs Applications Used for Illicit Activities Encryption and Techniques Used to Hide Data
Labs
- Lab 1 Firewall Configuration
- Lab 2 Packet Analysis
- Lab 3 Working with Tshark
- Lab 4 Network Attacks Authentications
- Lab 5 Network File Carving
- Lab 6 Network Files Carving from Memory
- Lab 7 Decrypting Encrypted Traffic
- Lab 8 Working with Zeek
- Lab 9 VoIP Traffic Analysis
- Lab 10 Automation with Sysmon
- Lab 11 Building Network Security Tools
Course type
This course is delivered in the following ways:
- Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
- In situe classroom with proctored labs and scenarios executed in our Cyberium Arena
All sessions are recorded and attendees can replay them during 30 days. All course material is electronically made available to the participant.
Course Group:
Defense
Hands-on / Theory MiX
The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.
Certification
This course prepares the participant to the following certification:
- CNFE (Mile2)
Required EqUIPMENT
Network connection
As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.
BYOD – Bring Your Own Device
As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:
- Audio and Video
- 8 GB RAM
- 200 GB Disk Space
- Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)
And also a Good Headset with Mic
