Format: 5 days Classroom Instruction

Start/End Times: 0830-1630

Recommended Class Size: 5-12

Audience: Introductory

Target Audience:

Law Enforcement Personnel that need to acquire a foundation in networking technology, terminology, common networking protocols and use of Open-Source Network / Forensic Analysis tools and methodologies. Successful completion of this course will provide these individuals with a path-way into the field of Network Forensics Analysis.

Recommended Prerequisites:

Completion of Wireshark 1 and Wireshark 2 or equivalent networking and Wireshark experience

Description:

Network Forensics Analysis encompasses the skills of not only capturing suspicious data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate techniques focusing on the use of vendor-neutral, OpenSource Tools to provide insight into the following areas:

  • Forensics Analysis fundamentals and data-mining
  • Open-Source Network Forensics Tools
  • Network security principles including encryption technologies and defensive configurations of network infrastructure devices
  • Security threat recognition for a variety of network attack and exploit scenarios including network reconnaissance techniques, intrusion and exploit methodologies, Bot-Net threat recognition as well as common user protocol vulnerabilities including many IP related Protocols such as IPv4/v6 / TCP, DNS/DNSSec, ARP, ICMPv4/v6, and an introduction to Voice / Video over IP and Wireless Networking technologies
  • Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical analysis skills. Attendees will receive a student guide including numerous reference files and networking and forensics tools, as well as a library of reference documents.

 

Course Details:

I. Introduction to Network Forensic Analysis

  • Overview and history of Network Forensics Analysis
  • Answering the key incident response questions
  • Sample Six step Network Forensics Analysis Methodology

II. Recap – Collecting the Data and Statistical Forensics Analysis

  • Data Collection
    • Configuring Wireshark 2.0
      • New features to enhance capture – USBPcap / Androiddump
      • Using capture filters to capture specific suspect traffic
    • Stealth / Silent Collection of Data – Tips & Techniques
    • WiFi Device Analysis using AirPcap Control Panel
      • New Wireless Toolbar and WiFi features – WEP / WPA / WPA2 Decryption
      • Bluetooth capture features
    • Location – How Network Infrastructure Devices Affect Network Analysis
      • Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU

III. Forensics Analysis of Encryption Protocols

  • Secure Socket Layer (SSL / Transport Layer Security (TLSv1-3)
  • Wired Equivalency Protocol (WEP)
  • WiFi Protected Access (WPA / WPA2)
  • VPN and Tunneling Protocols
  • Security Vulnerabilities & Exploits

IV. Introduction to Forensics Analysis of Multimedia Protocols – Voice, Video, T.38 & T.120

  • Introduction – Overview & Terminology
    • Multimedia Protocols and Standards
    • Hardware
  • Analyzer Placement & Configuration
    • Where to collect the Data
    • Wireshark Multimedia Specific Menus
  • Overview of Multimedia Protocols
    • H.323 / SIP / MGCP / SCCP
    • Voice & Video Codec(s)
  • T.38 Fax over IP & T.120 Conference over IP
  • Multimedia Reassembly and Playback
  • Multimedia Vulnerabilities & Exploits

V. Introduction to Forensics Analysis of Wireless (WiFi) Traffic

  • Introduction – Overview & Terminology
    • WiFi Protocols and Standards
      • 802.11a / b/ g/ n/ ac
    • Hardware – Antennas & Access Points
  • Analyzer Placement & Configuration
    • Where to collect the Data
    • Wireshark WiFi Specific Menus
  • RF Physics, Propagation & Antenna Selection
  • WiFi Communication – Service Sets
    • BSSID / ESSID / IBSS / Adhoc
  • WiFi MAC Layer
    • Finding a Service Set
    • Connecting to a Service Set
    • Authentication / Association
    • Moving Between Service Sets
    • Disconnection from Service Sets
  • WiFi Frame Addressing & Arbitration
  • WiFi Hacking – Rogue Devices
  • SoHo / Internet of Things (IoT) Technologies
    • 802.15 Bluetooth
    • 802.16 WiMAX
    • Home RF
    • ZigBee
    • Infrared
  • WiFi Security Vulnerabilities & Exploits
    • Rouge Devices
    • Man-in-the-Middle
    • Malware / Ransomware
    • Denial of Service (DoS / DDoS) Attacks
    • Bots / Botnets

VI. I’ve Been Hacked – Network Forensics Analysis – Intrusions, Exploits, Etc.

  • Overview & Terminology
  • Identifying Target Networks Vulnerabilities
    • Scanning & Reconnaissance
    • Tools & Techniques
    • Identifying Scanning Tools
  • You Can Trust Me – Social Engineering
  • Exploiting the Target – Layer 2 (Physical & DLC Layers) Exploits
    • Driver & Device Exploits
    • Man-in-the-Middle
    • MAC / ARP Floods
  • Exploiting the Target – Layer 3 (Network Layer) Exploits
    • IPv4 Header and Option Exploits
    • IPv6 Tunnel Exploits
    • ICMPv4/v6 Exploits
    • IPX SAP Exploits
  • Exploiting the Target – Layer 4 (Transport Layer) Exploits
    • Exploiting TCP
      • Header & Options
      • Resets
      • Flags
    • Exploiting SCTP
    • Firewall & Intrusion Detection System (IDS) Exploits
  • Exploiting the Target – Layer 5-7 (Application) Exploits
    • Drive-by-Downloads
    • Ransomware, Crimeware and Malware – Worms & Virus’s
    • Fake Login’s & Password Hijacks
    • Overflow’s
    • Internet Exploits
  • Attacks
    • Bots, Botnets, Bot Herders
    • Denial of Service (DoS / DDoS)
  • Detecting, Analyzing and Reconstructing Suspicions Activates
    • Baselines & Sample Libraries
    • Color Rules
    • Filtering & Pattern recognition

VII. Where do we go from Here?

  • Wireshark 0LE – TCP/IP Networking Fundamentals Using Wireshark
  • Wireshark 1 – TCP/IP Network Analysis
  • Wireshark 2LE – Advanced Network &Security Analysis
  • Wireshark 3LE – Network Forensics Analysis
  • Wireshark 4LE – Mobile Device Forensics Analysis
  • Wireshark 5 – Cloud & Internet of Things (IoT) Technology & Advanced Network Analysis
  • Wireshark 6 – VoIP Technology & Advanced Network Analysis
  • Wireshark 7 – WiFi Technology & Advanced Network Analysis
  • Wireshark 8 – SCADA & ICS Technology & Advanced Network Analysis