Network Forensic: Track A

LMG Security Dec 3-4


Ends october 15


Ends December 2


Ends December 6


Enterprises all over the globe are compromised remotely by hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers’ footprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more.

From the authors of “Network Forensics: Tracking Hackers Through Cyberspace” (Prentice Hall, 2012) comes Network Forensics Track A: Packets & Covert Tunnels. This fast-paced class includes packet analysis, wireless forensics, network tunneling—all packed into a dense 2 days, with hands-on technical labs throughout the class.

Carve out suspicious email attachments from packet captures. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself) from captured traffic. Dissect DNS-tunneled traffic and learn to carve smuggled TCP segments with your eyeballs.

Topics covered in Track A:

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing network transactions, identifying covert tunnels, reconstructing and carving files from packet captures, and correlating the evidence to build a solid case.

Network Forensics will teach you to how to follow the attacker’s footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, portable forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

Course Timeline:

Each day will consist of 6 hours of instruction, as follows:

Day 1:

Day 2:


Each module of this course consists of instructor lecture, followed by instructor-led hands-on labs which are designed to explore the tools and techniques discussed. Additional reading materials are supplied by the accompanying Prentice Hall text (by the authors of the class). Students will be provided with a USB containing a VMWare virtual machine to use as a network forensic workstation.

Who Should Take This Class:

Information security professionals with some background in hacker exploits, penetration testing, and incident response

Incident Response Team Members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases

Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.

Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics

Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations

Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or investigates individuals that are considered technical savvy

Student Requirements, experience/expertise:

Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

Student Requirements, equipment/software:

Students must bring a laptop with at least 2GB of RAM, a DVD drive, a USB port, and VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare’s web site).

List of Materials You Will Provide to Students:


Jonathan Ham, Certified SANS Instructor, CISSP, GCIA, GCIH
Jonathan Ham specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian Federal agencies. Jonathan has helped his clients achieve greater success for over 15 years, advising in both the public and private sectors, from small startups to the Fortune 500. He is the co-author and lead instructor of SANS "Network Forensics," and co-author of “Network Forensics: Tracking Hackers Through Cyberspace,” published by Prentice Hall. Jonathan is a Certified Instructor with the SANS Institute.

Sherri Davidoff, MIT (Computer Science and Electrical Engineering), GCFA, GPEN
Sherri Davidoff has more than a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. She has consulted for a wide variety of industries, including banking, insurance, health care, transportation, manufacturing, academia, and government institutions. Sherri is the co-author of the SANS training course “Network Forensics,” and co-author of the Prentice Hall textbook, “Network Forensics: Tracking Hackers Through Cyberspace.” She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.

Eric Fulton, Certified Web Application Penetration Tester (GWAPT)
Eric Fulton is a specialist in network penetration testing and web application assessments. His clients have included Fortune 500 companies, international financial institutions, global insurance firms, government entities, telecommunications companies, as well as world-renowned academic and cultural institutions. In his spare time, Eric works with local students to provide hands-on security training, and conducts independent security research on magnetic access cards and mobile network forensics. He publishes network forensics contests on

Scott Fretheim, Certified Web Application Penetration Tester (GWAPT)
Scott Fretheim is an experienced web application penetration tester and risk assessment consultant. He advises clients regarding risk management and risk analysis, and enjoys conducting security training seminars. Scott is a primary author of several network forensics contests, including the "L33t Pill" series which was first released at DEFCON 2011. Scott is a GIAC Certified Web Application Penetration Tester (GWAPT) and holds his B.S. in Management of Information Systems.