Course OutlineModule 1: Mastering The Packet Analysis Tools
This module imparts all the packet analysis tools necessary for network forensics! Wireshark, libpcap, winpcap, the BPF language, tcpdump, tshark, dumpcap, ngrep, tcpflow, pcapcat, tcpxtract, tcpflow, scapy, NetworkMiner and many other packet analysis tools you should know about!
We will also teach the PCAP file format itself. Just in case you ever need to build your own PCAP parsing tools.
Module 2: Host Analysis
We impart how to analyse logs generated on servers and workstations. Students will learn how to detect and investigate SQL injection attacks, brute forcing, code injection, command injection, path traversal, cross-site scripting, session hijacking, PAM user compromise, Windows privilege escalation, lateral movement across Windows and Linux, and much more!
Module 3: The Advanced Topics
In this module, we go over how to detect advanced network tunneling and reverse engineer custom network protocols. This includes topics such as: ICMP tunnels, DNS tunnels, TCP sequence numbers, Protocol 41, IP fragmentation, secret handshakes, steganography, compression and encryption.
We also explore attack techniques intended at preventing take-downs: DGA, domain fronting, peer-to-peer networks, and C&C over popular websites.
Module 4: Network Design & Architecture
We go over best practice approaches to implement network security monitoring in corporate, DMZ, cloud and OT networks. We impart the type of forensics data to capture, how much of it, how to turn on logging on Windows and Linux machines, and how to automate data collection and parsing activities.
Module 5: Theatre Exercises
In the final module, we deploy a randomly generated network and launch semi-automated attack campaigns against it. For a whole day, students are tasked with reviewing as many log files as possible for indicators of attacks and compromise and write technical threat reports.