Want to analyze DNS tunnel traffic? Carve cached Web pages out of central Squid proxies? Extract JPGs and GIFs from Snort packet captures for forensic investigations?

Network equipment such as Web proxies, firewalls, IDS, routers, and even switches contain evidence that can make or break a case. In SEC558, you'll learn how to recover evidence from network-based devices and use it to build your case.

The first day we dive right into DNS tunnel analysis, DHCP log examination, and sniffing traffic. By day two, you'll be extracting tunneled flow data from DNS NULL records and extracting evidence from firewall logs. On day three, we analyze Snort captures and the Web proxy cache. You'll carve out cached Web pages and images from the Squid web proxy.

For the last two days, you'll be part of a live, hands-on investigation. Working in teams, you'll use network forensics to solve a crime and present your case.

During hands-on exercises we will use tools, such as tcpdump, Snort, ngrep, tcpxtract, and Wireshark, to understand attacks and trace suspect activity. Each student will be given a virtual network to analyze and will have the opportunity to conduct forensic analysis on a variety of devices.

Underlying all of our forensic procedures is a solid forensic methodology. This course complements Computer Forensics, Investigation, and Response (SEC508), using the same fundamental methodology to recover and analyze evidence from network-based devices.

A hard drive is just a small part of the picture. Even if an attacker is smart enough to clean up tracks on the victim system, remnants remain in firewall logs, Web proxy caches, and other sources. Network Forensics (SEC558) teaches students how to follow the attacker's footprints and analyze evidence throughout the network environment.

Computer Forensics Course Prerequisites

Students should have some familiarity with basic networking fundamentals, such as the OSI model and basics of TCP/IP. Please ensure that you can pass the SANS TCP/IP & Hex Knowledge quiz. Students should also have basic familiarity with Linux or willingness to learn in a Linux-based environment. This course is particularly recommended for students who have previously attended either Security 508 or 503.

You will Receive with this Course

Free 10" Mini Laptop preloaded with Network Forensics Tools

As a part of this course you will receive a SANS Network Investigative Forensics Toolkit (SNIFT). With your SNIFT Kit, you will gain first-hand experience in collecting and analyzing evidence recovered from a network under investigation - and you can take it home with you!

The SNIFT Kit consists of:

• Lenovo IdeaPad S10 - 10" Mini Laptop!
• SANS VMware-based Forensic Analysis Network, complete with:
• Squid Web Proxy
• Firewall
• Snort IDS
• Web Servers
• DNS server
• DHCP server
• ...and more!

SANS Network Forensic Workstation, installed with:

• Packet Tools (tcpdump, Wireshark, ngrep, tcpxtract and others)
• Log Analysis Tools (Splunk, squidview, and more)
• Custom-written tools from the Network Forensics community (pcapcat, oftcat, and more)

• Course Netbook loaded with case examples!

Who should attend:

• Network and/or computer forensic examiners
• Computer incident response team members
• Security architects
• Security administrators
• Law enforcement
• Anyone responsible for orchestrating a corporate or government network for evidence acquisition in the face of a criminal or civil investigation