Black Hat USA Registration Black Hat USA Registration Black Hat USA Briefings Black Hat USA Briefings Black Hat USA Training Black Hat USA Training Black Hat USA Schedule Black Hat USA Schedule Black Hat USA Sponsors Black Hat USA Sponsors Black Hat  USA Special Events Black Hat  USA Special Events Black Hat USA Venue Black Hat USA Venue

On This Page

Network Forensics: Black Hat Release

Jonathan Ham & Scott Fretheim & Sherri Davidoff | July 27-30



Ends May 31



Ends July 24



Ends July 30


Enterprises all over the globe are compromised remotely by hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers’ footprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more.

From the authors of “Network Forensics: Tracking Hackers Through Cyberspace” (Prentice Hall, 2012) comes Network Forensics: Black Hat Release. Taught by the authors themselves, this fast- paced class includes packet analysis, statistical flow record analysis, wireless forensics, intrusion detection and analysis, network tunneling, malware network behavior—all packed into a dense 4 days, with hands-on technical labs throughout the class.

Carve out suspicious email attachments from packet captures. Analyze a real-world wireless encryption-cracking attack (and then crack the key yourself) from captured traffic. Dissect DNS-tunneled traffic and learn to carve TCP segments with just your eyeballs and a hex editor. Use flow record analysis tools to pick out brute-force attacks and hone in on compromised systems, as the attacker pivots through the enterprise. Reconstruct a suspect’s web surfing history-- and cached web pages, too-- from a web proxy. Pick apart the Operation Aurora exploit, caught by a network sniffer.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing covert channels, carving cached web pages out of proxies, identifying attackers and victims using flow records, carving malware from packet captures, and correlating the evidence to build a solid case.

Network Forensics will teach you to how to follow the attacker’s footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, virtual forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

Blog Post: Videos of Blackhole Attack on Bank of America Customers


Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What Materials Students Will Receive

What Students Should Bring To This Course

Students must bring a laptop with at least 2GB of RAM, a DVD drive, a USB port, and VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare’s web site).


Jonathan Ham specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian Federal agencies. Jonathan has helped his clients achieve greater success for over 15 years, advising in both the public and private sectors, from small startups to the Fortune 500. He is the co-author and lead instructor of SANS "Network Forensics," and co-author of “Network Forensics: Tracking Hackers Through Cyberspace,” published by Prentice Hall.

Scott Fretheim is an experienced web application penetration tester and risk assessment consultant. He advises clients regarding risk management and risk analysis, and enjoys conducting security training seminars. Scott is a primary author of several network forensics contests, including the "L33t Pill" series which was first released at DEFCON 2011. Scott is a GIAC Certified Web Application Penetration Tester (GWAPT) and holds his B.S. in Management of Information Systems.

Sherri Davidoff has more than a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. She has consulted for a wide variety of industries, including banking, insurance, health care, transportation, manufacturing, academia, and government institutions. Sherri is the co-author of the SANS training course "Network Forensics," and her upcoming book by the same title will be published by Prentice-Hall in early 2012. She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.