Course Key Learnings

• Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
• Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
• Reverse engineer custom network protocols to identify an attacker’s command-and-control abilities and actions
• Decrypt captured SSL/TLS traffic to identify attackers’ actions and what data they extracted from the victim
• Use data from typical network protocols to increase the fidelity of the investigation’s findings
• Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
• Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
• Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
• Learn how attackers leverage meddler-in-the-middle tools to intercept seemingly secure communications
• Examine proprietary network protocols to determine what actions occurred on the endpoint systems
• Analyze wireless network traffic to find evidence of malicious activity
• Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
• Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions and threat actors

Course Content: 

Module1: Off the Disk and Onto the Wire

Overview

Focus: Although many fundamental network forensic concepts align with those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.

Exercises

• Lab Environment Preparation
• tcpdump and Wireshark Hands-On
• Carve Exfiltrated Data

Topics

• Web Proxy Server Examination
  • Role of a web proxy
  • Proxy solutions – commercial and open source
  • Squid proxy server
  • Configuration
    • Logging
    • Automated analysis
    • Cache extraction
• Foundational Network Forensics Tools: tcpdump and Wireshark
  • tcpdump re-introduction
    • pcap file format
    • Berkeley Packet Filter (BPF)
    • Data reduction
  • Useful command-line parameters
    • Wireshark re-introduction
    • User interface
    • Display filters
    • Useful features for network forensic analysis
• Network Evidence Acquisition
  • Three core types: full-packet capture, Logs, NetFlow
  • Capture devices: switches, taps, Layer 7 sources, NetFlow
  • Planning to capture: strategies; commercial and home-built platforms
• Network Architectural Challenges and Opportunities
  • Challenges provided by a network environment
  • Future trends that will affect network forensics

Module2: Core Protocols & Log Aggregation/Analysis

Overview

Knowing how protocols appear in their normal use is critical if investigators are to identify anomalous behaviors. By looking at some of the more frequently-used and high-impact network communication protocols, we will specifically focus on the ways in which they can be easily misused by an adversary or a malware author.

Exercises

• HTTP Profiling
• DNS Profiling, Anomalies, and Scoping
• SOF-ELK Log Aggregation and Analysis

Topics

• Hypertext Transfer Protocol (HTTP) Part 1: Protocol
  • Forensic value
  • Request/response dissection
  • Useful HTTP fields
  • HTTP tracking cookies
  • HTTP/2 artifacts
  • Artifact extraction
• Hypertext Transfer Protocol (HTTP) Part 2: Logs
  • Log formats
  • Expanded mod_forensic logging
  • Analysis methods
• Domain Name Service (DNS): Protocol and Logs
  • Architecture and core functionality
  • Tunneling
  • Fast flux and domain name generation algorithms (DGAs)
  • Logging methods
  • Amplification attacks
• Forensic Network Security Monitoring
  • Network Security Monitoring (NSM) emergence from Intrusion Detection Systems (IDSes)
  • Zeek NSM platform
    • Proactive/live use case
    • Post-incident DFIR use case
    • Logs created and formats used
  • JSON parsing with the “jq” utility
  • Community-ID flow hash value
• Logging Protocol and Aggregation
• Syslog
  • Dual role: server and protocol
  • Source and collection platforms
  • Event dissection
  • rsyslog configuration
• Microsoft Eventing
  • Deployment model and capabilities
  • Windows Event Forwarding
  • Architecture
  • Analysis mode
• Log Data Collection, Aggregation, and Analysis
  • Benefits of aggregation: scale, scope, independent validation, efficiency
  • Known weaknesses and mitigations
  • Evaluating a comprehensive log aggregation platform
• Elastic Stack and the SOF-ELK Platform
• Basics and pros/cons of the Elastic stack
• SOF-ELK
  • Inputs
  • Log-centric dashboards
  • Use as a data exploration platform

Module3:  NetFlow and File Access Protocols

Overview

NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest malicious actions. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly-identified suspicious endpoints or traffic patterns.

Exercises

• Visual NetFlow Analysis with SOF-ELK
• Tracking Lateral Movement with NetFlow
• SMB Session Analysis and Reconstruction

Topics

• NetFlow Collection and Analysis
  • Origins and evolution
  • NetFlow v5 and v9 protocols
  • Architectural components
  • NetFlow artifacts useful for examining encrypted traffic
• Open-Source Flow Tools
  • Using open-source tool sets to examine NetFlow data
  • nfcapd, nfpcapd, and nfdump
  • SOF-ELK: NetFlow ingestion and dashboards
• File Transfer Protocol (FTP)
  • History and current use
  • Shortcomings in today’s networks
  • Capture and analysis
  • File extraction
• Microsoft Protocols
  • Architecture and capture positioning
  • Exchange/Outlook
  • SMB v2, and v3

Module4: Commercial Tools, Wireless, and Full-Packet Hunting

Overview

Commercial tools are an important part of a network forensicator’s toolkit. We’ll explore the various roles that commercial tools generally fill, as well as how they may best be integrated to an investigative workflow. With the runaway adoption of wireless networking, investigators must also be prepared to address the unique challenges this technology brings to the table. However, regardless of the protocol being examined or budget used to perform the analysis, having a means of exploring full-packet capture is a necessity, and having a toolkit to perform this at scale is critical.

Exercises

• Automated Extraction with NetworkMiner
• Using Command-Line Tools for Analysis
• Network Forensic Analysis Using Moloch

Topics

• Simple Mail Transfer Protocol (SMTP)
  • Lifecycle of an email message
  • Artifacts embedded along the delivery pathway
  • Adaptations and extensions
• Object Extraction with NetworkMiner
  • Value of commercial tools in a DFIR workflow
  • NetworkMiner
    • Capabilities and user interface
    • Use cases for object extraction
    • Limitations and mitigations
• Wireless Network Forensics
  • Translating analysis of wired networks to the wireless domain
  • Capture methodologies: Hardware and Software
  • Useful protocol fields
  • Typical attack methodologies based on protection mechanisms
• Automated Tools and Libraries
  • Common tools that can facilitate large-scale analysis and repeatable workflows
  • Libraries that can be linked to custom tools and solutions
  • Chaining tools together effectively
• Full-Packet Hunting with Moloch
  • Moloch architecture and use cases
  • Methods of ingesting packet data for DFIR workflows
  • Session awareness, filtering, typical forensic use cases
  • Raw packet searching with hunt jobs
  • Enrichment of extracted metadata
  • Custom decoding with CyberChef

Module5: Encryption, Protocol Reversing, OPSEC, and Intel

Overview

Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Strong encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses even in the most advanced adversaries’ methods. As we learn what the attackers have deliberately hidden from us, we must operate carefully to avoid tipping our hats regarding the investigative progress – or the attacker can quickly pivot, nullifying our progress.

Exercises

• SSL/TLS Profiling
• Undocumented Protocol Features
• Mini-Comprehensive Investigation

Topics

• Encoding, Encryption, and SSL/TLS
  • Encoding algorithms
  • Encryption algorithms
    • Symmetric
    • Asymmetric
  • Profiling SSL/TLS connections with useful negotiation fields
  • Analytic mitigation
  • Perfect forward secrecy
• Meddler-in-the-Middle (MITM)
  • Malicious uses and their artifacts
  • Benevolent uses and associated limitations
  • Common MITM tools
• Network Protocol Reverse Engineering
  • Using known protocol fields to dissect unknown underlying protocols
  • Pattern recognition for common encoding algorithms
  • Addressing undocumented binary protocols
  • What to do after breaking the protocol
• Investigation OPSEC and Threat Intel
  • Operational Security
    • Basic analysis can tip off attackers
    • How to mitigate risk without compromising quality
  • Intelligence
    • Plan to share smartly
    • Protect intelligence to mitigate risks

Module6:  Network Forensics Capstone Challenge

Exercises

• Capstone Lab

Topics

• Network Forensic Case
  • Analysis using only network-based evidence
    • Determine the original source of an advanced attacker’s compromise
    • Identify the attacker’s actions while in the victim’s environment
    • Confirm what data the attacker stole from the victim
  • Reporting
    • Present executive-level summaries of your findings at the end of the day-long lab
    • Document and provide low-level technical backup for findings
    • Establish and present a timeline of the attacker’s activities

• Online Classes – Live Virtual Class (L.V.C), Online Training

Related Courses

Windows Forensic Analysis