Network Forensics

From March 20, 2017 to March 21, 2017

Our two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 - Theory and Practice using Open Source Tools

Day 2 - Advanced Network Forensics using Netresec Tools

The Scenario

The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We've set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:

Class attendees will learn to analyze captured network traffic from these events in order to:

Target Audience

Q: Who should attend?

A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?

A: Those who are afraid of using Linux command line tools.

Training Preparations

Laptop Required Attendees will need to bring a laptop that fits the following specs:

A VirtualBox VM will be provided on USB flash drives at the beginning of the training. Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off "Intel Trusted Execution" in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Erik Hjelmvik

Erik Hjelmvik is an incident responder and developer who is well known in the network forensics field for having created NetworkMiner, which is used by incident responders and law enforcement all around the world. Erik has a background in SCADA security and has spent over 5 years doing incident response at one of the best CERTs in Sweden. Nowadays Erik runs the company Netresec AB, where he develops network forensics software and occasionally teaches network forensic classes.