FOR558: Network Forensics

A session at SANS London 2012

  • George Bakos

Enterprises all over the globe are compromised remotely by malicious hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers' fingerprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more.

Forensics 558: Network Forensics will teach you to how to follow the attacker's footprints and analyze evidence from the network environment. Every student will receive a VMware SNIFT Virtualized Workstation, which is a fully-loaded, portable forensics virtual workstation, designed by network forensics experts and distributed exclusively to Forensics 558: Network Forensics students.

We will begin by diving right into covert tunnel analysis, DHCP log examination, and sniffing traffic. By day two, you'll be extracting tunneled flow data from DNS NULL records and extracting evidence from firewall logs. On day three, we analyze Snort captures and the web proxy cache. You'll carve out cached web pages and images from the Squid web proxy.

For the last two days, you'll be part of a live hands-on investigation. Working in teams, you'll use network forensics to solve a crime and present your case.

During hands-on exercises, we will use tools such as tcpdump, Snort, ngrep, tcpxtract, and Wireshark to understand attacks and trace suspect activity. Each student will be given a virtual network to analyze, and will have the opportunity to conduct forensic analysis on a variety of devices.

Underlying all of our forensic procedures is a solid forensic methodology. This course complements Forensic and Investigative Essentials (508), using the same fundamental methodology to recover and analyze evidence from network-based devices.

No Hard Drive? No Problem!

A hard drive is just a small part of the picture. Even if an attacker is smart enough to clean up tracks on the victim system, remnants remain in firewall logs, web proxy caches, and other sources. Forensics 558: Network Forensics, you'll learn to track attackers through the network and leverage network evidence to build a strong case.

About the speaker

This person is speaking at this event.
George Bakos

Sign in to add slides, notes or videos to this session

SANS London 2012

England England, London

26th November to 3rd December 2012

Tell your friends!


Date Mon 26th November 2012

Short URL


Official event site


View the schedule


See something wrong?

Report an issue with this session