+44 (0)1737 821590
Definitive network forensics for engineers  |    A 3 day   hands on   training course

Network forensics training course description

This course studies network forensics—monitoring and analysis of network traffic for information gathering, intrusion detection and legal evidence. We focus on the technical aspects of network forensics rather than other skills such as incident response procedures etc.. Hands on sessions follow all the major sections.

What will you learn
  • Recognise network forensic data sources.
  • Perform network forensics using:
    Log analysis
  • Describe issues such as encryption.
Network forensics training course details

Network forensics training course contents

  • What is network forensics?
  • What it is, host vs network forensics, purposes, legal implications, network devices, network data sources, investigation tools.
    Hands on whois, DNS queries.

  • Host side network forensics
  • Services, connections tools.
    Hands on Windows services, Linux daemons, netstat, ifoconfig/ipconfig, ps and Process explorer, ntop, arp, resource monitor.

  • Packet capture and analysis
  • Network forensics with Wireshark, Taps, NetworkMiner.
    Hands on Performing Network Traffic Analysis using NetworkMiner and Wireshark.

  • Attacks
  • DOS attacks, SYN floods, vulnerability exploits, ARP and DNS poisoning, application attacks, DNS ANY requests, buffer overflow attacks, SQL injection attack, attack evasion with fragmentation.
    Hands on Detecting scans, using nmap, identifying attack tools.

  • Calculating location
  • Timezones, whois, traceroute, geolocation. Wifi positioning.
    Hands on Wireshark with GeoIP lookup.

  • Data collection
  • NetFlow, sflow, logging, splunk, splunk patterns, GRR. HTTP proxies.
    Hands on NetFlow configuration, NetFlow analysis.

  • The role of IDS, firewalls and logs
  • Host based vs network based, IDS detection styles, IDS architectures, alerting. Snort. syslog-ng. Microsoft log parser.
    Hands on syslog, Windows Event viewer.

  • Correlation
  • Time synchronisation, capture times, log aggregation and management, timelines.
    Hands on Wireshark conversations.

  • Other considerations
  • Tunnelling, encryption, cloud computing, TOR.
    Hands on TLS handshake in Wireshark.

Learning path


This is a new course

The ratings below are based on general customer ratings

R. L. - Geant

"Very good with deep product knowledge."

R. C. - NetDev

"Enjoyable course, good week. Clarified things very well for me."

Training approach

This structured course uses Instructor Led Training to provide the best possible learning experience. Small class sizes ensure students benefit from our engaging and interactive style of teaching with delegates encouraged to ask questions throughout the course. Quizzes follow each major section allowing checking of learning. Hands on sessions are used throughout to allow delegates to consolidate their new skills.