You are in: Home > Tech > CSI Network Forensics: A Hands-on Workshop
CSI Network Forensics Overview
Practical Tools for Investigating and Preventing Computer Network Crimes
Duration: 3 days
Time: 0900 - 1800
Fee: $1,950 USD
Class Size: 12 - 20
Course Details:
Audience: Law Enforcement Computer Forensics Investigators and Corporate Security Personnel
Course Description
This 3-day hands-on workshop is targeted for law enforcement computer forensics investigators and corporate security personnel with a basic understanding of computer forensics. Participants will gain real-world knowledge and skills to analyze network traffic from criminals' computers, improve network security and reliability, and protect networks from malicious and criminal attacks. You will receive a training binder including Wireshark trace files and a DVD with networking and forensics tools.
Registration
To register for this class please go to the registration page.
Learning Objectives
As a result of successful completion of this workshop, participants will be able to:
- Recognize traffic patterns associated with security breaches
- Legally tap into a network to identify reconnaissance processes, active attacks, and evidence of compromised systems
- Watch network traffic from a computer engaged in infecting another computer with a virus
- Deploy open-source tools to analyze network-based evidence
- Trace an email
- Recognize a phishing scheme
- Reconstruct web-browsing activity
- Research Internet Protocol addresses, names, and port numbers
- Analyze server logs
- Dissect forensic information from Cisco routers and switches
Course Content
1) Day 1
- Network forensics overview and definitions
- Network forensics tools
- Understanding normal network traffic
- Service name to port number resolution
- Name to Internet Protocol (IP) address resolution
- Local versus remote resolution
- Media Access Control (MAC) address resolution
- Building a packet
- Lab: Use the open-source Wireshark protocol analyzer to examine normal network traffic
- Researching IP addresses
- Public versus private addresses
- Address assignment and Regional Internet Registries
- Geo-location of IP addresses
- Lab: Research IP addresses
- Researching TCP and UDP port numbers
- Understanding port numbers
- Using Internet Assigned Numbers Authority (IANA) documents
- Lab: Research port numbers
- Researching Domain Name System names
- Understanding DNS
- Using whois, nslookup, dig, dnsstuff.com, and other DNS tools
- Lab: Research DNS information
- Tracing an e-mail
- Understanding email full headers
- Recognizing faked headers
- Lab: Find the source of a phishing scheme
- Reconstructing a suspect's Web-browsing activity
- Parsing index.dat and cookie files
- Lab: Use open-source tools to reconstruct web-browsing activity
�
2) Day 2
- Capturing network traffic
- Legal considerations
- Capturing full content data versus session data
- Network hardware taps
- Switch port mirroring
- Tapping into wired versus wireless networks
- Lab: Use Wireshark to analyze traffic that was captured using a tap
- Reconnaissance missions
- Port scans
- TCP flags scans
- IP scans
- OS Fingerprinting
- Application mapping scans
- Lab: Use Wireshark to analyze a reconnaissance mission
- Security breaches
- Spoofed MAC addresses
- Spoofed IP addresses
- Botnet infections
- Unauthorized applications
- Lab: Use Wireshark to analyze a security breach
- Active Attacks
- Viruses and worms
- Cracking passwords
- Denial of service attacks
- Poisoning DNS caches
- Poisoning ARP caches
- Lab: Use Wireshark to watch a suspected criminal in the process of attacking
- Reconnaissance and Attack Signatures
- Looking into packets for signatures
- Pattern signatures
- Header signatures
- Payload signatures
- Lab: Use Wireshark to find signatures of attacks
�
3) Day 3
- Introduction to server logs
- Web versus email, DHCP, and DNS servers
- Introduction to syslog
- Introduction to Windows event logs
- Tools for log analysis
- Lab: Analyze an Apache web server log
- Introduction to router and switch forensics
- Cisco router and switch architecture
- Cisco logging (console, versus buffer, terminal, syslog)
- Attacks on routers
- Attacks on switches
- Router and switch attack incident response
- Cisco "show" commands
- Lab: Analyze output from Cisco show commands
- Putting it all together
- Comparing normal traffic to suspect traffic
- Comparing tools and their applications
- Lab: Use Wireshark to analyze an attack on a Cisco router