Network Forensics: Black Hat Release

Jonathan Ham & Sherri Davidoff (LMG Security) | August 2-5

On This Page


Enterprises all over the globe are compromised remotely by hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers’ footprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more.

From the authors of “Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012) comes Network Forensics: Black Hat Release. Taught by the authors themselves, this fast- paced class includes packet analysis, statistical flow record analysis, wireless forensics, intrusion detection and analysis, network tunneling, malware network behavior—all packed into a dense 4 days, with hands-on technical labs throughout the class.

Carve out suspicious email attachments from packet captures. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself) from captured traffic. Dissect DNS-tunneled traffic and learn to carve TCP segments with just your eyeballs and a hex editor. Use flow record analysis tools to pick out brute-force attacks and hone in on compromised systems, as the attacker pivots through the enterprise. Reconstruct a suspect’s web surfing history-- and cached web pages, too-- from a web proxy. Pick apart the Operation Aurora exploit, caught by a network sniffer.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing covert channels, carving cached web pages out of proxies, identifying attackers and victims using flow records, carving malware from packet captures, and correlating the evidence to build a solid case.

Network Forensics will teach you to how to follow the attacker’s footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, virtual forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

Who Should Take This Course

•  Information security professionals with some background in hacker exploits, penetration testing, and incident response
•  Incident Response Team Members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases
• Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.
• Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics
• Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations
• Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or investigates individuals that are considered technical savvy

Student Requirements

Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What Students Should Bring

Students must bring a laptop with at least 2GB of RAM, a DVD drive, a USB port, and the latest version of VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare’s web site).

What Students Will Be Provided With

• Lab workbook
• Textbook, “Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012).
• DVD/USBs containing lab exercises


Jonathan Ham specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian Federal agencies. Jonathan has helped his clients achieve greater success for over 20 years, advising in both the public and private sectors, from small startups to the Fortune 500. He is the co-author of “Network Forensics: Tracking Hackers Through Cyberspace," published by Prentice Hall.

Sherri Davidoff is a principal and Senior Security Consultant at LMG Security. She has over a dozen years of experience as an information security professional, specializing in digital forensics, security awareness training, penetration testing and web security assessments. She is the co-author of the textbook "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.