Network Forensics


Table of Contents


Network forensics training is about the analysis of network traffic to identify intrusions or anomalous activity. Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable and therefore requires a different approach.

This course sets the groundwork for understanding networks and the investigation process on them. Participants will master the fundamentals of conducting forensic analysis in a network environment. This course will incorporate demonstrations and lab exercises to reinforce hands-on capabilities.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc…

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.
A personal computer suitable for running virtual machines, with an Internet connection
Transition of the scenarios in the Cyberium Arena.

Target audience

This course addresses those with basic knowledge of:

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • IT security personnel
  • Junior cyber forensics analysts


  • Detecting various types of computer and network incidents
  • Analyzing network artifacts left on a compromised system
  • Understanding alerts and advisories
  • Responding to incidents
  • Performing network traffic monitoring and analyzing logs
  • Learning to work with different tools


ThinkCyber Level-1 Courses



During this module, participants will learn how to read packets of data, perform file carving, and identify suspicious activity on the network. Participants will get an insight into how an attack on the network is carried out and how it can be identified. Participants will be tasked with constructing essential defensive tools that will raise alerts when the system is attacked.

Technical content

  • Understanding Network Components
    o Understanding Network-Based Firewalls
    ▪ Packet Filter
    ▪ Common IDS
    o Traffic Analysis
    o Understanding Packet Structure
    ▪ Packet Analysis
    o HAProxy
    o EtherApe
    o Wireshark
    ▪ Acquaintance with Wireshark
    ▪ Statistics
    ▪ TCP Stream
    ▪ Understanding Coloring Rules
    ▪ View Options on Packets
    ▪ Dive Into Common Protocols


During this module, participants will understand the challenges of investigating network-based cases. Participants will practice using various tools and investigation methodologies to correlate data and collect evidence.

Technical content

  • Network Forensics Investigation Process
    o Automation skills
    ▪ TCPDump
    ▪ Extraction of Credentials
    ▪ Export Objects
    o MiTM Attack
    ▪ Methods
    ▪ Different Uses
    ▪ Common MiTM Tools
    ▪ Create your Attack
    o Find Network Anomalies
    o Flow Analysis
    o Network File Carving
    ▪ Wireshark
    ▪ NetworkMiner
    ▪ Foremost with Special Configuration
    o Discovering Network Tunnels


During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Participants will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field.

Technical content

  • Advanced Network Analysis
    o Advanced Wireshark
    ▪ Streams Analysis
    ▪ Advanced Incident Investigation
    ▪ Investigate Uncommon Communications
    ▪ Decrypting SSL/TLS traffic
    ▪ Find Malware and Analysis Process
    o Advanced Tshark
    ▪ Single and Multi-Pass Filters
    ▪ Automating
    ▪ Payload Investigation
  • Zeek
    o Output Logs
    o Automating Process
    o Monitoring Data into Logs
    o Zeek-Cut Parsing
  • VoIP Analysis
    o VoIP Protocol
    o VoIP Traffic Analysis
    o VoiceMail
    o SIP Messaging
    o DTMF
    o VoIP Call Decryption
    o Custom Wireshark Plugin
    o VoIP REGISTER Message Analysis
    o Hash Extraction
    o Password Cracking


In this module, participants will learn how to deploy automatic data analyzers, using preset rules or craft custom rule-sets to alert and block on detection of suspicious traffic.

Technical content

  • IPS vs. IDS
    o Essential Intrusion Detection Tools and Methods
    ▪ Installing and Configuration Sysmon
    ▪ File Hashes
    ▪ Windows Events Log
    ▪ Analyzing and Filtering Events
    ▪ Network Events
    o IDS/IPS Analysis
    ▪ Hardware vs. Software Components
    ▪ IDS/IPS Operation Process
    ▪ IDS/IPS Configuration
    ▪ Snort
    o Rules System
    o Operation with Firewall and Networks
    o Advanced Snort Configuration
    o Using and Updating Built-In Rules


In this module, participants will summarize investigation findings and convey the results in a report. It must be understandable, factual and defensible in detail following general forensic principles.

Technical content

  • Report Writing
    o Reason for Investigation
    o Evidence Examined
    o Description of Investigation
    o Details of Finding
    ▪ Recovered Files
    ▪ Network Access Logs
    ▪ Cache Files
    ▪ Network Traffic Logs
    ▪ Applications Used for Illicit Activities
    ▪ Encryption and Techniques Used to Hide Data


The following labs are part of the actual BT211 course:
  • Lab 1 Firewall Configuration
  • Lab 2 Packet Analysis
  • Lab 3 Working with Tshark
  • Lab 4 Network Attacks Authentications
  • Lab 5 Network File Carving
  • Lab 6 Network Files Carving from Memory
  • Lab 7 Decrypting Encrypted Traffic
  • Lab 8 Working with Zeek
  • Lab 9 VoIP Traffic Analysis
  • Lab 10 Automation with Sysmon
  • Lab 11 Building Network Security Tools

Real Cases Studies

Case Study #1 (NF001)
One of the biggest web-hosting companies had suffered a massive data leak; Attackers spotted a security flaw in one of the documents. The network manager requires your assistance to record and analyze the still going events to discover the source of the breach.
Case Study #2 (NF002)
Recently a group of hackers managed to trick a group of private firms into sending them a vast amount of money by faking an investment website; the firms were sure that they are investing in start-ups while, in reality, they were sending money to the attackers. The SOC Team managed to capture the data transmitted between the groups. Your job is to analyze the network traffic and find the hackers.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:

  • CNFE (Mile2)

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details