About the course
Instructor: Ryan Johnson
Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.
It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.
FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.
This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.
Whether you are a consultant responding to a client's site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, an on-staff forensic practitioner, or a member of the growing ranks of "threat hunters", this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensic alumni from 500 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without the use of disk or memory images.
The hands-on labs in this class cover a wide range of tools and platforms, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, tcpflow, and more. Newly added tools in the course include the SOF-ELK platform - a VMware appliance pre-configured with the ELK stack. This "big data" platform includes the Elasticsearch storage and search database, the Logstash ingest and parse utility, and the Kibana graphical dashboard interface. Together with the custom SOF-ELK configuration files, the platform gives forensicators a ready-to-use platform for log and NetFlow analysis. For full-packet analysis and hunting at scale, the Moloch platform is also used. Through all of the in-class labs, your shell scripting abilities will also be used to make easy work of ripping through hundreds and thousands of data records.
FOR572 is truly an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS...ONE BYTE (OR PACKET) AT A TIME.
Advanced Network Forensics: Threat Hunting, Analysis and Incident Response Course Topics:
Foundational network forensics tools: tcpdump and Wireshark refresher
Packet capture applications and data
Unique considerations for network-focused forensic processes
Network evidence types and sources
Network architectural challenges and opportunities for investigators
Investigation OPSEC and footprint considerations
Network protocol analysis
Domain Name Service
Hypertext Transfer Protocol
File Transfer Protocol
Simple Mail Transfer Protocol
Commercial network forensic tools
Automated tools and libraries
Open-source NetFlow tools
Capturing wireless traffic
Modes of wireless operation
Useful forensic artifacts from wireless traffic
Common attack methods and detection
Log data to supplement network examinations
Microsoft Windows Eventing
HTTP server logs
Firewalls, Intrusion Detection Systems (IDSes), and Network Security Monitoring (NSM) Platforms
Log collection, aggregation, and analysis
Web proxy server examination
Secure HTTP/Secure Sockets Layer
Deep packet work
Network protocol reverse engineering
FOR572.1: Off the Disk and Onto the Wire
FOR572.2: Core Protocols & Log Aggregation/Analysis
FOR572.3: NetFlow and File Access Protocols
FOR572.4: Commercial Tools, Wireless, and Full-Packet Hunting
FOR572.5: Encryption, Protocol Reversing, OPSEC, and Intel
FOR572.6: Network Forensics Capstone Challenge