The most trusted source for computer security training, certification and research.

select a course
Global Information Assurance Certification

The vendor-neutral instructional approach goes a long way in providing a broad base of information without bias.
-Keith Rice, Bank of America

FORENSICS 558

Network Forensics

6 Credits per Day
NOTE: This course has recently changed from the SECURITY discipline to the new FORENSICS discipline. All content remains the same.

Want to analyze DNS tunnel traffic? Carve cached Web pages out of central Squid proxies? Extract JPGs and GIFs from Snort packet captures for forensic investigations?

Network equipment such as Web proxies, firewalls, IDS, routers, and even switches contain evidence that can make or break a case. In SEC558, you'll learn how to recover evidence from network-based devices and use it to build your case.

The first day we dive right into DNS tunnel analysis, DHCP log examination, and sniffing traffic. By day two, you'll be extracting tunneled flow data from DNS NULL records and extracting evidence from firewall logs. On day three, we analyze Snort captures and the Web proxy cache. You'll carve out cached Web pages and images from the Squid web proxy.

For the last two days, you'll be part of a live, hands-on investigation. Working in teams, you'll use network forensics to solve a crime and present your case.

During hands-on exercises we will use tools, such as tcpdump, Snort, ngrep, tcpxtract, and Wireshark, to understand attacks and trace suspect activity. Each student will be given a virtual network to analyze and will have the opportunity to conduct forensic analysis on a variety of devices.

Underlying all of our forensic procedures is a solid forensic methodology. This course complements Computer Forensics, Investigation, and Response (SEC508), using the same fundamental methodology to recover and analyze evidence from network-based devices.

A hard drive is just a small part of the picture. Even if an attacker is smart enough to clean up tracks on the victim system, remnants remain in firewall logs, Web proxy caches, and other sources. Network Forensics (SEC558) teaches students how to follow the attacker's footprints and analyze evidence throughout the network environment.

Computer Forensics Course Prerequisites

Students should have some familiarity with basic networking fundamentals, such as the OSI model and basics of TCP/IP. Please ensure that you can pass the SANS TCP/IP & Hex Knowledge quiz. Students should also have basic familiarity with Linux or willingness to learn in a Linux-based environment. This course is particularly recommended for students who have previously attended either Security 508 or 503.

You will Receive with this Course

Free 10" Mini Laptop preloaded with Network Forensics Tools

As a part of this course you will receive a SANS Network Investigative Forensics Toolkit (SNIFT). With your SNIFT Kit, you will gain first-hand experience in collecting and analyzing evidence recovered from a network under investigation - and you can take it home with you!

The SNIFT Kit consists of:

  • Lenovo IdeaPad S10 - 10" Mini Laptop!
  • SANS VMware-based Forensic Analysis Network, complete with:
  • Squid Web Proxy
  • Firewall
  • Snort IDS
  • Web Servers
  • DNS server
  • DHCP server
  • ...and more!

SANS Network Forensic Workstation, installed with:

  • Packet Tools (tcpdump, Wireshark, ngrep, tcpxtract and others)
  • Log Analysis Tools (Splunk, squidview, and more)
  • Custom-written tools from the Network Forensics community (pcapcat, oftcat, and more)
  • Course Netbook loaded with case examples!

Who should attend:

  • Network and/or computer forensic examiners
  • Computer incident response team members
  • Security architects
  • Security administrators
  • Law enforcement
  • Anyone responsible for orchestrating a corporate or government network for evidence acquisition in the face of a criminal or civil investigation

SANS has opened my eyes to things I never would have considered on my own research.
-Doug Wells, Media General, Inc.

Author Statement

Computer forensics has traditionally focused on file recovery and filesystem analysis performed against system internals or seized storage devices. However, the hard drive is only half the story. These days, evidence almost always traverses the network and sometimes is never stored on a hard drive at all.

Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communicating, which investigators can use to trace an action or conversation back to a physical device. The entire contents of e-mails, IM conversations, Web surfing activities and file transfers can be recovered and reconstructed to reveal the original transaction. More importantly, the protocol data that surrounded each conversation is often extremely valuable to the investigator, and this data can only be acquired from network-based devices.

The payload inside the packet at the highest layer may end up on disc, but the envelope that got it there is only captured in the network traffic. Network forensics can reveal evidence that is crucial to building a case.

Training Events By Course

FORENSICS 558 :: Network Forensics
SANS 2010 Orlando, FL March 06, 2010 - March 15, 2010
SANSFIRE 2010 Baltimore, MD June 06, 2010 - June 14, 2010
SANS London 2010 London, United Kingdom November 29, 2010 - December 04, 2010