Network Forensics

The two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze PCAP files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 - Theory and Practice using Open Source Tools

  • Theory: Ethernet signaling
  • Hardware: Network TAPs and Monitor ports / SPAN ports
  • Sniffers: Recommendations for high-performance packet interception
  • PCAP analysis: Extracting evidence and indicators of compromise using open source tools
  • Defeating Big Data: Techniques for working with large data sets
  • Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
  • Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 - Advanced Network Forensics using Netresec Tools

  • NetworkMiner Professional: Learning to leverage the features available in the Pro version
    • Port Independent Protocol Identification (PIPI)
    • DNS Whitelisting
  • NetworkMinerCLI: Automating content extraction with our command line tool
  • CapLoader: Searching, sorting and drilling through large PCAP data sets
    • Super fast flow transcript (aka Follow TCP/UDP stream)
    • Filter PCAP files and export frames to other tools
    • Keyword search
  • Challenge Day 2

The Scenario

The scenario used in the class involves a modern progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:

  • Defacement of the Bank’s web server
  • Man-on-the-Side (MOTS) attack (much like NSA/GCHQ’s QUANTUM INSERT)
  • Backdoor infection through trojanized software
  • Spear phishing
  • Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
  • Infection with real malware (Nemucod, Miuref / Boaxxe and more)

Class attendees will learn to analyze captured network traffic from these events in order to:

  • Investigate web server compromises and defacements
  • Detect Man-on-the-Side attacks
  • Identify covert backdoors
  • Reassemble incoming emails and attachments
  • Detect and decode RAT/backdoor traffic
  • Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

Professional software included FREE of charge

Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.


  • At least some experience with both Linux and Wireshark.

  • Attendees will need to bring a laptop that fits the following specs:
  • A PC running any 64 bit Windows OS (can be a Virtual Machine)
  • At least 4GB RAM
  • At least 40 GB free disk space
  • VirtualBox (64 bit) installed (VMWare will not be supported in the training). A VirtualBox VM will be provided on USB flash drives at the beginning of the training.

About the Speaker