philosecurity

“Network Forensics” in Orlando (March 2010) SOLD OUT over a month and a half before the class. WOW! We already have enrollments for the next class in June 2010 (Washington, DC). Register now to get a spot!

Want to analyze DNS tunnel traffic? Extract images from Snort packet captures? Jonathan Ham and I have co-authored SANS Network Forensics class, which has just been expanded to 5 days! Each student will receive a shiny new Ideapad netbook, preconfigured as a forensic workstation and loaded with all kinds of network forensics tools.

Network equipment such as web proxies, firewalls, IDS, routers and even switches often contain evidence that can make or break a case. A great deal of evidence flows across the network but is never stored on a workstation or server hard drive. In this class, information security professionals and law enforcement will learn how to recover evidence from network-based devices in order to speed up investigations and build stronger cases.

During hands-on exercises, we will use tools such as tcpdump, Snort, ngrep, tcpxtract, and Wireshark to understand attacks and trace suspect activity. Each student will be given a virtual network to analyze, and will have the opportunity to conduct forensic analysis on a variety of devices.

The first day we dive right into DNS tunnel analysis, DHCP log examination, and sniffing traffic. By day two, you’ll be extracting tunneled flow data from DNS NULL records and extracting evidence from firewall logs. On day three, we analyze Snort captures and the Web proxy cache. You’ll carve out cached Web pages and images from the Squid web proxy.

For the last two days, you’ll be part of a live, hands-on investigation. Working in teams, you’ll use network forensics to solve a crime and present your case.

Underlying all of our forensic procedures is a solid forensic methodology, which includes verification, acquisition, timeline creation, evidence recovery, reconstruction and reporting. This course complements Forensic and Investigative Essentials (508), using the same fundamental methodology to recover and analyze evidence from network-based devices.

A hard drive is just a small part of the picture. Even if an attacker is smart enough to clean up tracks on the victim system, remnants remain in firewall logs, web proxy caches, and other sources. Network Forensics (Sec558) teaches students how to follow the attacker’s footprints and examine evidence from the network environment.

By capturing evidence from network-based devices, law enforcement and information security professionals can recover evidence that does not even exist on endpoint hard drives.

Register for Network Forensics!