Network Forensics


Network forensics training is about the analysis of network traffic to identify intrusions or anomalous activity. Compared to computer forensics, where evidence is usually preserved on disk, network data is more volatile and unpredictable and therefore requires a different approach. This course sets the groundwork of understanding networks and the investigation process on them. Students will master the fundamentals of conducting forensic analysis in a network environment. This course will incorporate demonstrations and lab exercises to reinforce hands-on capabilities.

Duration: 40 hours

Target Audience
This course addresses those with basic knowledge of:

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators
  • IT security personnel
  • Junior cyber forensics analysts


  • ThinkCyber Level-1 Courses


  • Detecting various types of computer and network incidents
  • Analyzing network artifacts left on a compromised system
  • Understanding alerts and advisories
  • Responding to incidents
  • Performing network traffic monitoring and analyzing logs
  • Learning to work with different tools


Module 1: Network Forensics

During this module, participants will learn how to read packets of data, perform file carving, and identify suspicious activity on the network. Students will get an insight into how an attack on the network is carried out and how it can be identified. Students will be tasked with constructing essential defensive tools that will raise alerts when the system is attacked.

  • Understanding Network Components
    o Understanding Network-Based Firewalls
  • Packet Filter
  • Common IDS
    o Traffic Analysis
    o Understanding Packet Structure
  • Packet Analysis
    o HAProxy
    o EtherApe
    o Wireshark
  • Acquaintance with Wireshark
  • Statistics
  • TCP Stream
  • Understanding Coloring Rules
  • View Options on Packets
  • Dive Into Common Protocols

Module 2: Case Investigation

During this module, students will understand the challenges of investigating network-based cases. Students will practice using various tools and investigation methodologies to correlate data and collect evidence.

  • Network Forensics Investigation Process
    o Automation skills
  • TCPDump
  • Extraction of Credentials
  • Export Objects
    o MiTM Attack
  • Methods
  • Different Uses
  • Common MiTM Tools
  • Create your Attack
    o Find Network Anomalies
    o Flow Analysis
    o Network File Carving
  • Wireshark
  • NetworkMiner
  • Foremost with Special Configuration
    o Discovering Network Tunnels

Module 3: Advanced Network Analysis

During this module, participants will further explore the study of data packets on a deeper level, learn to identify network anomalies, and understand system alerts. Students will master the use of well-known command-line-interface (CLI) and graphic-user-interface (GUI) tools to further specialize in the field.

Advanced Network Analysis

  • o Advanced Wireshark
    Streams Analysis
  • Advanced Incident Investigation
  • Investigate Uncommon Communications
  • Decrypting SSL/TLS traffic
  • Find Malware and Analysis Process
    o Advanced Tshark
  • Single and Multi-Pass Filters
  • Automating
  • Payload Investigation
  • Zeek
    o Output Logs
    o Automating Process
    o Monitoring Data into Logs
    o Zeek-Cut Parsing
  • VoIP Analysis
    o VoIP Protocol
    o VoIP Traffic Analysis
    o VoiceMail
    o SIP Messaging
    o DTMF
    o VoIP Call Decryption
    o Custom Wireshark Plugin
    o VoIP REGISTER Message Analysis
    o Hash Extraction
    o Password Cracking

Module 4: Intrusion Detection and Mitigation

In this module, students will learn how to deploy automatic data analyzers, using preset rules or craft custom rule-sets to alert and block on detection of suspicious traffic.

  • IPS vs. IDS
    o Essential Intrusion Detection Tools and Methods
  • Installing and Configuration Sysmon
  • File Hashes
  • Windows Events Log
  • Analyzing and Filtering Events
  • Network Events
    o IDS/IPS Analysis
  • Hardware vs. Software Components
  • IDS/IPS Operation Process
  • IDS/IPS Configuration
  • Snort
    o Rules System
    o Operation with Firewall and Networks
    o Advanced Snort Configuration
    o Using and Updating Built-In Rules
    o Creating a Custom Ruling System

Module 5: Reporting

In this module, students will summarize investigation findings and convey the results to a report. It must be understandable, factual and defensible in detail following general forensic principles.

  • Report Writing
    o Reason for Investigation
    o Evidence Examined
    o Description of Investigation
    o Details of Finding
  • Recovered Files
  • Network Access Logs
  • Cache Files
  • Network Traffic Logs
  • Applications Used for Illicit Activities
  • Encryption and Techniques Used to Hide Data