About the course

Imagine a far-reaching incident with key infrastructure affected. Several hosts with crucial digital evidence are down. No event logs, no evidence of execution, no filesystem metadata. You want to know what malware is responsible and how it was delivered. Network forensics will help. But… How is it done? Where to go? What needs to be analyzed?

To help resolve such situations, Group-IB has developed a course called “Advanced Network Forensics”. It is focused on two things:

  • What must be analyzed? How to obtain the necessary data to investigate?
  • How to analyze the data obtained? What effort does it take?

Network forensics skills are required not only to investigate the most critical security incidents. They can also be applied to proactive defense and can tremendously enrich the endpoint forensics process, making them far from superfluous.

Key topics covered:

  • Types of network digital evidence
  • Challenges to large-scale infrastructure
  • Methods of network evidence acquisition
  • Open-source network monitoring solutions
  • Techniques of network traffic analysis
  • Overview of cyber threat intelligence sources to enrich network artifacts

Skills acquired:

  • Collecting network digital evidence
  • Performing incident investigations of any complexity using network artifacts
  • Properly applying CTI to network forensics

Target participants:

  • Information security specialists
  • Incident responders
  • SOC/CERT analysts
  • Digital forensics specialists

Requirements:

  • Knowledge of network layers, network protocols, header fields
  • Ability to explain what happens after putting “google.com” in a web browser
  • Awareness of data querying languages (e.g., Kibana Query Language, logic operators)

Course program

Day 1

arrow_drop_down
Theory
Demonstration
Practice

On day one participants are introduced to the basics of network forensics. Topics include the four-step process, types of network digital evidence and how to acquire them, and basic techniques of analyzing network traffic. To enrich network forensics methods, cyber threat intelligence sources are used.

One of the practice tasks is to apply investigation methods using IDS/IPS system alerts. The final part of the day is dedicated to identifying problems and possible solution methods in the network forensics field.

Day 2

arrow_drop_down
Theory
Demonstration
Practice

Day two starts with the basics of open-source network monitoring solutions based on the ELK (Elasticsearch, Logstash, Kibana) stack. Attendees take part in an incident investigation by analyzing only NetFlow, web access, and proxy server logs.

Takeaways:

  • Lecture videos and materials used during the training
  • Certificate
  • Valuable experience and information that can be put into practice and used professionally