Network forensics relates to the analysis of network traffic for the purposes of identifying intrusions or anomalous activity. Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable, and therefore requires a different approach. This course sets the groundwork for understanding networks and the investigation process on them. Students will master the fundamentals of conducting forensic analysis in a network environment. The course will incorporate demonstrations and lab exercises to reinforce hands-on capabilities.

    The course targets participants with basic knowledge in IT or networking, who wish to have a deeper understanding of cyber investigations and the forensic process. Primarily:

    • Law enforcement officers & intelligence corps
    • Incident responders
    • Computer investigators
    • IT/network administrators
    • IT security personnel
    • Junior cyber forensics analysts
    • Basic knowledge in IT or networking
    • Participants should be familiar with the following concepts:
      • Computer components
      • Operating Systems
      • OSI model
    • CS001 provides a solid foundation of preliminary knowledge required for this course.

    40 Hours

    Cyber Security


    Certificate: No

    Price: contact us for more details

    Leave your details

    Course Outline


    • Detecting various types of computer and network incidents.
    • Analyzing artifacts left on a compromised system.
    • Understanding alerts and advisories.
    • Responding to incidents.
    • Performing network traffic monitoring and analyzing logs.
    • Learning to work with different tools to accomplish investigative tasks.


    Course Outline

    Module 1: Preparing Your Forensics Lab – 4 hours

    During this module, students will become familiar with the key tools for network forensics and will construct machines that will serve them during the course. The various tools and frameworks covered in this module are among the most advanced in the field, and are a crucial asset for every network forensics investigator.

    • Configuring forensics tools
      • Autopsy
      • Volatility
      • NirSoft
      • FTK imager
      • HxD
      • Bulk Extractor
      • Bro
      • Bro-Cut
      • Wireshark
      • TCPDump
    • Forensics common frameworks for investigation
      • DEFT
      • SIFT
      • Security Onion


    Module 2: Network Forensics – 16 hours

    During this module, participants will learn how to read packets of data, perform “file carving” and identify suspicious activity on the network. They will get an insight into how an attack on the network is carried out and how it can be identified. Later on, students will be tasked with constructing basic defensive tools that will raise alerts when the system is attacked.

    • Network-based firewalls
      • Packet filter
      • Proxy
      • Common IDS
    • Wireshark GUI and CLI
      • Acquaintance with Wireshark
      • Statistics
      • TCP stream
    • PCAP files manipulation
    • Packet structure and analysis
    • Internet traffic analysis
    • Network forensics investigation process
    • MiTM attack
      • Methods
      • Different uses
      • Common MiTM tools
    • Writing a professional forensics report


    Module 3: Network Carving – 4 hours

    During this module, students will learn how to perform network carving – inspect network traffic and extract the malicious or suspicious content on it for further investigation. Network carving allows the investigator to closely examine what happened, what contaminated the system, and determine the significance of suspected findings.

    • Wireshark
      • SMB
      • HTTP
    • NetworkMiner
    • Bro – using Bro for network carving
    • Foremost


    Module 4: Log Analysis – 12 hours

    Throughout this module, students will analyze logs – computer generated records that contain useful data – and get to know where information is stored on Windows and Linux operating systems. They will also understand how to identify logs that have been tempered, using basic and advanced tools.

    • Defining log data
    • Log analysis process
      • Generating logs
      • Collecting logs
      • Normalizing logs
      • Filtering logs
    • Log sources
      • IDS
      • Firewalls/IPS
      • Network bandwidth
      • Applications
    • Log analysis tools
      • P0f – passive network scanning
      • Snort – basic uses
    • Common string manipulation
    • Windows event viewer


    Module 5: Wireless Security Basics – 4 hours

    The focus of this module is to raise the awareness and deepen the understanding among participants of Wi-fi attacks, how they happen, and what are the risks involved. The trainer will perform live demonstration of various types of attacks, to expose the students to the attacks of the wireless world and give the corresponding tools to investigate those attacks.

    • Wireless definitions
      • x
      • Hotspots
      • Rouge networks
      • Sniffing
      • WEP/WPA/WPA2
      • Wireless cards with injection capabilities
    • Attack demos:
      • Rouge access point
      • Attacking WEP
      • Attacking WPA/WPA2
      • Bypassing MAC filters
      • Bypassing hidden access points
      • DDoS