Network Forensics:
Black Hat Release

Jonathan Ham and Sherri Davidoff july 21-24


Ends February 1


Ends June 1


Ends July 20


July 21-24


Enterprises all over the globe are compromised remotely by hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers' footprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more. From the authors of "Network Forensics: Dissecting the Internet" (Prentice Hall, 2012) comes Network Forensics: Black Hat Release. Taught by the authors themselves, this fast-paced class includes packet analysis, statistical flow record analysis, wireless forensics, intrusion detection and analysis, network tunneling, malware network behavior-all packed into a dense 4 days, with hands-on technical labs throughout the class.

Reconstruct a suspect's web surfing history-- and cached web pages, too-- from a web proxy. Carve out suspicious email attachments from packet captures. Analyze a real-world wireless encryption cracking attack (and then crack the key yourself) from captured traffic. Dissect DNS-tunneled traffic and learn to carve TCP segments with just your eyeballs and a hex editor. Use flow record analysis tools to pick out brute-force attacks and hone in on compromised systems, as the attacker pivots through the enterprise. Pick apart the Operation Aurora exploit, caught by a network sniffer.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing covert channels, carving cached web pages out of proxies, identifying attackers and victims using flow records, carving malware from packet captures, and correlating the evidence to build a solid case. Network Forensics will teach you to how to follow the attacker's footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, portable forensics workstation, designed by forensics experts and distributed exclusively to Network Forensics: Black Hat Release students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.


Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What to bring

Students must bring a laptop with at least 2GB of RAM, a DVD drive. and VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare's web site).

Who Should Take This Class


Jonathan Ham specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian Federal agencies. Jonathan has helped his clients achieve greater success for over 15 years, advising in both the public and private sectors, from small startups to the Fortune 500. He is the co-author and lead instructor of SANS "Network Forensics," and his upcoming book by the same title will be published by Prentice Hall in early 2012. Jonathan is a Certified Instructor with the SANS Institute.

Sherri Davidoff has more than a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. She has consulted for a wide variety of industries, including banking, insurance, health care, transportation, manufacturing, academia, and government institutions. Sherri is the co-author of the SANS training course "Network Forensics," and her upcoming book by the same title will be published by Prentice-Hall in early 2012. She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.