CSI Network Forensics Analysis

Practical techniques for analyzing suspicious network traffic

Duration: 3 days
Time: 0900 - 1800
Fee: $1,950 USD
Class Size: 12 - 20

Course Details:

Audience:This course is designed for Law Enforcement Personnel as well as Network Security professionals that possess a basic to intermediate general security and networking knowledge. Successful completion of this course will provide these individuals with a path-way into the field of Network Forensics Analysis. Personnel that already posses a working knowledge of Host-based Forensics Analysis will also attend this course as a means of gaining expertise in the End-to-End Digital Forensics process.

Course Prerequisites:

For maximum effectiveness, attendees should have at least basic familiarity with TCP/IP networking and basic network infrastructure devices such as Switches, Routers, etc. Attendees will also be required to bring their own laptop.

Course Description

Network Forensics Analysis encompasses the skills of not only capturing suspicious data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate techniques focusing on the use of vendor-neutral, Open-Source Tools to provide insight into the following areas:

• Forensics Analysis fundamentals
• Data Recorder technology and data-mining
• Network security principles including encryption technologies and defensive configurations of network infrastructure devices
• Security threat recognition of common user protocols including IP related Protocols (IP / TCP / ARP, ICMP), Email Protocols (Pop / SMTP / IMAP) and common User Internet based Protocols
• Open-Source Network Forensics Tools
• Specialized Network Forensics Analysis techniques including suspicious data traffic reconstruction and viewing techniques as well as recognition and analysis of common exploits and attacks

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical Forensics Analysis skills. Attendees will receive a training binder including numerous reference Wireshark trace files and a DVD with networking and forensics tools, as well as a library of Network Forensics Analysis reference documents.

Course Objectives

As a result of successful completion of this workshop, participants will be able to:

• Understand the principles of Network Forensics Analysis and how to apply them
• Select and configure various Open-Source tools for Network Forensics Analysis
• Utilize these tools to recognize traffic patterns associated with suspicious network behavior
• Reconstruct suspicious activities such as Emails, file transfer or Web-Browsing for detailed analysis and evidentiary purposes
• Understand and recognize potential network security infrastructure mis-configurations

Course Content

DAY 1

• Introduction To Network Forensic Analysis
  i) Overview and history of Network Forensics Analysis
  ii) Five key questions
  iii) Six Step Network Forensics Analysis Methodology
• Collecting the Data – Data Capture and Statistical Forensics Analysis
  i) Data Collection
  (1) Location – How Network Infrastructure Devices Affect Forensics Analysis
  (a) Switches, Bridges, Routers, Firewalls and CSU / DSU
  (2) Stealth / Silent Collection of Data
  Case Study #1 – Firewall Capture and the Welchia Worm penetration
  Hands-on Lab / Exercise #1 – Getting Acquainted – Just how Data is out There?
  ii) Technology Challenges - Forensics Analysis in Wired and WLAN Environments
  (1) Layer 2 vs. Layer 3 vs. Layer 4 Addressing
  (2) IEEE 802.3 Ethernet vs. IEEE 802.11 Frame Formats
  (3) Using Names as a Forensics Analysis Aid
  (4) WLAN Device Analysis
  (5) Forensic Assessment of Protocol Statistics
  Hands-on Lab / Exercise #2 - Analyzing Node and Protocol Statistics for suspicious activities
  iii) Forensic Evaluation of Statistical Network Data
  (1) Assessment of Key Network and Forensics Statistics
  (2) Analyzing the 3 Different Network Communication Architectures
  (3) Analyzing Suspicious Conversations and Activities
  (4) Interpreting Protocol Decodes and Packet File Navigation Tips
  Hands-on Lab / Exercise #3 - Statistical Assessment of the Network
  Hands-on Lab / Exercise #4 – Protocol and Conversation Forensic Analysis
  
  

DAY 2

• iv) Forensics Analysis Using Expert Systems
  (1) Using Expert Systems to Determine Suspicious Activity
  (2) Determining Which Conversations Have Problems - Analyzing Latency and Throughput
  Hands-on Lab / Exercise #5 –A Tale of Two Networks
• v) Protocol and Conversation Forensic Analysis
  (1) Analyzing the 3 Different Network Communication Architectures
  (2) Analyzing Suspicious Conversations and Activities
  (3) Interpreting Protocol Decodes and Packet File Navigation Tips
  Hands-on Lab / Exercise #6 – Protocol and Conversation Forensic Analysis
• vi) Forensic Filtering Techniques
  (1) Constructing and Applying Specialty Forensics Filters
  (2) Importing / Exporting Filters
  Case Study #2 – Locating key Text-Strings & Identifying Information
  Lab / Hands-on Exercise #7 - Advanced Filtering for Forensic Analysis
  
• vii) Tracking and Reconstruction of Packet Flows
  (1) Diagramming and Interpreting a Conversation
  (2) Packet Flow Reconstruction and Analysis
  (3) Deep-Level Forensic Analysis of Packet Contents
  Case Study #3 – Reconstructing Suspicious Multiple Segment Conversations
  Lab / Hands-on Exercise #8 – Diagramming a Conversation – Packets Never Lie
  c) Forensics Analysis of Network Applications and User Traffic
  i) Forensics Analysis of IP
  (1) Structure and Analysis of IPv4 vs. IPv6
  (2) IP Fragmentation, IP Header Checksums and Forensic analysis of IPv4 Option fields
  (3) Common IP Exploits and Examples of Intrusion Signatures
  Hands-on Lab / Exercise #9 – Evaluating IP Security

DAY 3

• ii) Internet Control Message Protocol (ICMP) and Network Forensics
  (1) Structure and Analysis of ICMP
  (2) Analyzing ICMP Messages and Suspicious ICMP Traffic Analysis
  Hands-on Lab / Exercise #10 – Forensic Analysis of ICMP
  Case Study#4 – Who is Knocking on the Door – Identifying a Network Mapping Intrusion
• iii) Forensics Analysis of TCP
  (1) Structure and Analysis of TCP
  (2) TCP Header Checksums and Forensic Analysis of TCP Option fields
  (3) Common TCP Exploits and Examples of Intrusion Signatures
  Case Study#5 – Determining the Source of a TCP SYN Flood Attack
• iv) Forensic Analysis of User Traffic and Common User Protocol Exploits
  (1) Email Applications Using POP / SMTP / IMAP
  (2) Web-Based Applications Using HTTP
  (3) VoIP Applications
  Hands-on Lab / Exercise#11 – Forensic Analysis of User Traffic
  Hands-on Lab / Exercise#12 – VoIP Call Interception and Playback
  Case Study#5 – Application Reconstruction – Email / Web / Instant Messenger / File Transfers
• v)Challenge Hands-on Labs / Exercises
  Hands-on Lab / Exercise#13 – What is Happening to my Email Server?
  Hands-on Lab / Exercise#14 – Who is Scanning the Network?
  Hands-on Lab / Exercise#15 – What a Mess!- Multiple Threats and Simultaneous Attacks
• vi) Appendix 1 – Forensic Analysis Reference Information