Network Forensics for Incident Response

This is a two-day training. It takes place online on March 15 to 16, 2021.

A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.

We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.


Day 1 : Theory and Practice using Open Source Tools

  • Investigating spear phishing email with malware attachment

  • Using JA3 to analyze TLS/SSL encrypted traffic

  • Leveraging passive DNS to track C2 domains

  • Decoding C2 traffic from a RAT

  • Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy

  • Tracking lateral movement on the internal network

  • Investigation of botnet infection (TrickBot)

  • Analyzing exfiltration by an APT style attacker

Day 2 : Advanced Network Forensics using Netresec Tools

  • Analysis of a Man-on-the-Side (MOTS) attack similar to NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”.

  • Analyzing exploitation of insecure web server, web shell deployment and lateral movement into the corporate network.

  • Investigating a spear phishing attack with credential theft

  • Live TLS decryption lab

Who should attend this training

The training is built for blue teams, incident responders and SOC analysts, but can also be relevant for law enforcement investigators.


Confident using Linux command line tools. Basic knowledge if TCP/IP communications.


A PC running a 64-bit Windows OS (can be a Virtual Machine), 16GB RAM, 100GB free hard drive space and VirtualBox installed.

About the Speaker