3 Days Left to Get an iPad Air w/ Smart Keyboard, Surface Go, or $300 Off with OnDemand or vLive Training thru 8/21!

Munich 2015

Munich, Germany | Mon, Feb 23, 2015 - Sat, Mar 7, 2015
This event is over,
but there are more training opportunities.

FOR572: Advanced Network Forensics and Analysis Waitlist

Mon, March 2 - Sat, March 7, 2015

I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results.

Charlie H.

This class is immediately applicable to my work environment.

Thomas Heffron

Take your system-based forensic knowledge onto the wire, incorporate network evidence into your investigations, provide better findings, and get the job done faster.

Forensic casework that does not include a network component is a rarity in today's environment. Performing disk forensics will always be a critical and foundational skill, but overlooking the network component of today's computing architecture is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, a data theft case, or an employee misuse scenario, the network often has an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent or even definitively prove that a crime actually occurred.

FOR572: ADVANCED NETWORK FORENSICS AND ANALYSIS was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. The course focuses on the knowledge necessary to expand the forensic mindset from residual data on the storage media of a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.


This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave the course with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We will also cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence, as well as how to place new collection platforms while an incident is already under way. Whether you are hunting for previously unidentified compromises or focusing efforts on a specific incident response activity, this course will equip you with the knowledge needed to find attackers, characterize their actions, quantify data loss, and more.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, or an on-staff forensic practitioner, this course offers the hands-on experience with real-world scenarios to take your skills to the next level. Previous SANS Security curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS FOR408 and FOR508 alumni will be able to take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without any convenient hard drive or memory images.

The hands-on exercises in this course cover a wide range of tools, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, Logstash, and more. During all of these exercises, your shell scripting abilities will come in handy to make easy work of ripping through thousands of data records. The cornerstone of our analysis platform includes a custom version of the SANS SIFT Workstation Virtual Machine, built with Network Forensic tools to guide you through the in-class exercises, capstone challenge, and typical tasks you will encounter in network forensic casework.

FOR572 is truly an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between.


Advanced Network Forensics and Analysis Course Topics

  • Foundational network forensic tools: tcpdump and Wireshark refresher
  • Packet capture applications and data
  • Considerations between disk-based and network-based forensics
    • Network evidence types and sources
    • Network architectural challenges and opportunities for investigators
    • Investigation OPSEC and footprint considerations
  • Network protocol analysis
    • Dynamic Host Configuration Protocol and Domain Name System
    • Hypertext Transfer Protocol
    • File Transfer Protocol
    • Network Time Protocol
    • Microsoft protocols
    • Simple Mail Transfer Protocol
  • Commercial network forensic tools
  • Automated tools and libraries
  • NetFlow
    • Introduction
    • Collection approaches
    • Open-source NetFlow tools
  • Visualization tools and techniques
  • Wireless networking
    • Capturing wireless traffic
    • Identifying clients susceptible to fake-access-point-based, man-in-the-middle attacks
    • Detecting fake access points and the client(s) they attacked
  • Log data to supplement network examinations
    • Syslog
    • Microsoft eventing
    • HTTP server logs
    • Firewall and intrusion detection system
    • Log collection, aggregation, and analysis
    • Web proxy server examination
  • Encryption
    • Introduction
    • Man-in-the-middle
    • Secure HTTP/Secure Sockets Layer
    • Encrypted traffic flow analysis
  • Deep packet work
    • Network protocol reverse engineering
    • Payload reconstruction


Course Syllabus

George Bakos
Mon Mar 2nd, 2015
9:00 AM - 5:00 PM


Focus: Although many concepts of network forensics are similar to those of any other digital forensic investigation, the network presents many nuances that require special attention. On the first day of the course, you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.

Network data can be preserved, but only if captured directly from the wire. Whether tactical or strategic, packet capture methods are quite basic. You will re-acquaint yourself with tcpdump and Wireshark, the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. In this course, you will learn which types of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then go hands-on to find and extract stolen data from the proxy yourself.

The Linux SIFT virtual machine, which has been specifically loaded with a set of network forensic tools, will be your primary toolkit for the week.

  • Installing Linux SIFT Workstation and Review Network Forensic Tool Additions
  • Hands-on tcpdump and Wireshark
  • Carving Exfiltrated File from Packet Logs

CPE/CMU Credits: 6

  • Web Proxy Server Examination
    • Role of a web proxy
    • Proxy solutions - commercial and open source
    • Squid proxy server
      • Configuration
      • Logging
      • Automated analysis
      • Cache extraction
  • Payload Reconstruction
    • Encapsulation and decapsulation methods
    • Session reconstruction for common protocols: TCP and HTTP
  • Foundational Network Forensic Tools: tcpdump and Wireshark
    • tcpdump re-introduction
      • pcap file format
      • Berkeley Packet Filter (BPF)
    • Wireshark re-introduction
      • User interface
      • Display filters
      • Useful features for network forensic analysis
  • Network Evidence Types and Sources
    • Capture devices: hubs, taps, NetFlow
    • Logs as ancillary evidence sources
  • Network Architectural Challenges and Opportunities
    • Acquisition methods
      • Switches and monitor ports
      • Network taps
      • Wireless
    • Challenges provided by a network environment
    • Future trends that will affect network forensics
  • Packet Capture Applications and Data
    • Ephemeral nature of network data
    • libpcap storage format
    • Components of network acquisition strategies
      • Project management
      • Planning
      • Commercial solutions
      • Home-grown platforms
    • High-level analysis tools and utilities

George Bakos
Tue Mar 3rd, 2015
9:00 AM - 5:00 PM


FOCUS: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations.

Just as photos from high-altitude reconnaissance aircraft and satellites are instrumental in national policy decisions, NetFlow data can provide a network investigator with broad, but extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed (and labor-intensive) investigative activities.

In this section, you will learn what data items NetFlow can provide and the various means of collecting those items. As with many such monitoring technologies, both commercial and open-source solutions exist to query and examine NetFlow data. We will review both categories and discuss the benefits and drawbacks of each.

In the same vein, presenting concise findings from extremely large data sources is an important skill. A network forensicator should be able to aggregate and visually present findings, especially when faced with a years-long compromise incident. Findings supported by visualizations can provide a much clearer picture than words alone.

  • NetFlow Analysis
  • Identifying Lateral Movement
  • Commercial Network Forensic Tools
  • Visualizing NetFlow Data

CPE/CMU Credits: 6

  • NetFlow Analysis and Collection
    • Origins and evolution
    • NetFlow protocol
    • Architectural components
  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data
      • nfcapd and nfdump
      • nfsen
      • SiLK
  • Commercial Network Forensics
    • Common commercial platforms that you may encounter
    • Using existing platforms and tools in a client environment
    • Trade-offs between commercial and open-source solutions
  • Visualization Techniques and Tools
    • Making big data sources easily digestible
    • Visually identifying trends and outliers
  • Dynamic Host Configuration Protocol (DHCP) and Domain Name Service (DNS)
    • DHCP
      • Lease/re-lease process
      • Server configuration
      • Server logging
    • DNS
      • Architecture and core functionality
      • Tunneling
      • Fast flux

George Bakos
Wed Mar 4th, 2015
9:00 AM - 5:00 PM


Focus: Network protocols are the foundation upon which all network communications build. Without an understanding of how the most fundamental protocols behave, further examination and investigation is impossible. More importantly, without honing the skills necessary to learn new protocols, the network forensicator will be unprepared going forward in this rapidly evolving field.

This section covers some of the most common and fundamental network protocols that you will likely face during an investigation. We will look at a broad range of protocols, including the Dynamic Host Configuration Protocol, which "glues" together layers two and three on the OSI model, and Microsoft's Remote Procedure Call Protocol, which provides all manners of file, print, name resolution, authentication, and other services.

While no single course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way. The "learn how to learn" skill is critical, as new protocols are developed every day. Advanced adversaries develop their own protocols, too, and as you will see later in this course, successfully understanding and counteracting an adversary's undocumented protocol is similar to learning the protocols you will see in this section.

Finally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examination, as well as what interesting artifacts are recoverable from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be revealed, including how attackers can leverage those weaknesses during an attack, and how they can be detected.

  • HTTP Profiling
  • Wireless Packet Analysis: Analysis of a Wireless Capture
  • Documenting SMB Session from pcap

CPE/CMU Credits: 6

  • Hypertext Transfer Protocol (HTTP)
    • Forensic value
    • Request/response dissection
    • Useful HTTP fields
    • Monkey wrenches
    • Artifact extraction
  • Network Time Protocol (NTP)
    • Protocol fundamentals
    • Use in investigations (*NIX and Windows)
    • Protocol dissection
  • File Transfer Protocol (FTP)
    • History and current use
    • Shortcomings in today's networks
    • Capture and analysis
  • Wireless Network Forensics
    • Translating analysis of wired networks to the wireless domain
    • Capture methodologies
    • Useful protocol fields
    • Inherent weaknesses
  • Simple Mail Transfer Protocol (SMTP)
    • Lifecycle of an email
    • Adaptations and extensions
  • Microsoft Protocols
    • Architecture and capture positioning
    • Exchange/Outlook
    • SMB v1, v2, and v3
    • Sharepoint and internal websites

George Bakos
Thu Mar 5th, 2015
9:00 AM - 5:00 PM


Focus: Full-packet capture evidence is often unavailable. Even when it is, the period of coverage rarely extends past a few weeks. Incidents frequently go undiscovered for months or years, so we must turn to what evidence does exist to characterize the network activity around the time of the original compromise. Existing infrastructure assets can also be reconfigured to gather more or higher fidelity evidence during an incident response.

Log data are one of the unsung heroes in the realm of network forensics. While full-packet capture provides near-perfect knowledge, it still has several shortfalls. First, it is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. Second, when network capture systems are in use, they quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks.

Understanding log data and how they can guide the investigative process is an important skill for a network forensicator. Examining network-centric logs can also fill gaps left by an incomplete or nonexistent network capture. In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools. We will examine various ways to accomplish this, from tactical to enterprise scale.

Another benefit available in the network domain of incident response is the ability to repurpose infrastructure devices so they will better serve an ongoing investigation. When properly executed, this practice becomes an invaluable component in the incident response cycle. As incident responders acquire intelligence, they tune collections to better track the adversary's actions, which then begets better intelligence. This process requires special care, however, because interaction with active devices can create additional network traffic, and therefore, additional source evidence. As in many forensic processes, the key is to take measured steps, make minimal changes, and keep detailed documentation of each step.

Finally, the network domain provides some significantly different challenges than the traditional computer forensic domain. The process of analysis and research is an active one - simply looking up a domain name from a log file can alert an attacker to the status of a response team's investigation. You will learn which types of activities should be avoided and which can be mitigated to better ensure operational security.

  • Parse Search Terms from HTTP URLs
  • Retrieving Firewall and IDS Configuration and Logs
  • Log Aggregation and Analysis

CPE/CMU Credits: 6

  • Syslog
    • Dual role: server and protocol
    • Source and collection platforms
    • Event dissection
    • rsyslog configuration
    • Protocol dissection
  • Microsoft Eventing
    • History and capabilities
    • Eventing 6.0
      • Architecture
      • Analysis model
  • HTTP Server Logs
    • Log formats
    • Methods, return codes, additional headers
    • Analysis methods
  • Firewall and Intrusion Detection Systems
    • Repurposing infrastructure for investigations
    • Firewalls
      • Families of firewall solutions
      • Additional features
      • Syntax and log formats
      • iptables
        • Packet flow process
        • iptables as an intelligence tool
    • Intrusion Detection Systems
      • Rules and signatures
      • Families of IDS solutions
      • Snort
        • Configuration
        • Logging
  • Investigation OPSEC and Footprint Considerations
    • Operational Security
      • Basic analysis can tip off attackers
      • How to minimize risk without compromising quality
    • Footprint
      • Live collection risks and mitigations
      • Deliberate modification within the environment
  • Log Data Collection, Aggregation, and Analysis
    • Benefits of aggregation: scale, scope, independent validation, efficiency
    • Known weaknesses and mitigations
      • Reliability
      • Queuing
      • Security
    • SIEM tools
      • Splunk
      • ELSA
      • Logstash

George Bakos
Fri Mar 6th, 2015
9:00 AM - 5:00 PM


Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Although sound encryption methods are readily available and custom protocols are easy to develop and employ, there are still weaknesses in the methods of even the most advanced adversaries.

Encryption is frequently cited as the most significant hurdle to effective network forensics - and for good reason. When effectively implemented, encryption can constitute a brick wall between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. This section of the course will discuss the basics of encryption, how to approach it during an investigation, and how to use flow analysis to characterize encrypted conversations.

In addition, this section addresses how network forensicators can rebuild fragmented payloads in order to reconstruct original communication streams. We will then address undocumented protocols and how to derive intelligence value with limited or nonexistent knowledge of the protocol.

Finally, we will discuss how to pivot labor-intensive tasks into scalable solutions through automation. Whether chaining single-use tools together to create an end-to-end solution or developing a new tool using various existing forensically minded libraries, you can apply these methods as easily to terabytes of live-source data as to a 2-gigabyte pcap file.

  • SSL Inspection
  • Identifying Undocumented Protocol Features
  • Using Command Line Tools for Analysis
  • Network Forensic Analysis Using Xplico
  • Mini-Comprehensive Investigation: Using NetFlow to Identify Data Loss Session, Using pcap to Reverse Protocol, Extracting Original Files, and Decrypting SSL Communications

CPE/CMU Credits: 6

  • Dealing with Encoding and Encryption
    • Encoding algorithms
    • Encryption algorithms
      • Symmetric
      • Asymmetric
  • Secure HTTP (HTTPS) and Secure Sockets Layer (SSL)
    • Useful fields from secure negotiation process
    • Typical SSL uses other than HTTPS
  • Man-in-the-Middle
    • Methods to accomplish
    • Benevolent uses
    • Common MITM tools
  • Encrypted Traffic Flow Analysis
    • Baselining behavior to identify anomalies
    • Flow data points useful for encrypted traffic
  • Network Protocol Reverse Engineering
    • Using known protocol fields to dissect unknown underlying protocols
    • Pattern recognition for common encoding algorithms
    • Addressing undocumented binary protocols
    • What to do after breaking the protocol
  • Automated Tools and Libraries
    • Common tools that can facilitate large-scale analysis
    • Chaining tools together effectively
    • Libraries that can be linked to custom tools and solutions

George Bakos
Sat Mar 7th, 2015
9:00 AM - 5:00 PM


Focus: This section will combine all of what you have learned prior to and during this week in a challenging capstone exercise. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available - only the network and its infrastructure.

Students will present their findings at each stage of the exercise. This will test their understanding of the evidence and their ability to articulate and support their hypotheses. The audience will include senior-level decision-makers, so all presentations must include executive summaries, as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.

  • Capstone Exercise

CPE/CMU Credits: 6

  • Network Forensic Case
    • Analysis using only network-based evidence
      • Determine the original source of an advanced attacker's compromise
      • Identify the attacker's actions while in the victim's environment
      • Confirm what data the attacker stole from the victim
    • Reporting
      • Present executive-level summaries of your findings at each stage of the exercise
      • Document and provide low-level technical backup for findings
      • Establish and present a timeline of the attacker's activities
      • Time permitting, provide recommendations on how the victim can prevent, detect, or mitigate a repeat compromise by the same or another similarly advanced attacker

Additional Information


You can use any 64-bit version of Windows, Apple OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine can run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, see this article for good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 10, VMware Fusion 6.0, or VMware Player 6.0 or higher versions on your system prior to beginning the course. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course. Please note that other virtualization software is not supported in the lab environment, and may not successfully run the supplied virtual machines.


  • CPU: 64-bit Intel x64 2.0+ GHz processor or higher-based system is mandatory for this class. (Important - Please Read: a 64-bit system processor is mandatory!) Test your VMware Software before coming to class. Some BIOS configurations may require special settings (such as "VT-x" and/or "no-execute memory protection") to allow virtualization. You should also have administrative access to your BIOS, in case changes are needed when in class.
  • RAM: 8 GB (gigabytes) of RAM minimum.
  • Host Operating System: Any version of Windows or Apple OSX that can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Students who use Linux hosts are warned that the wide variety of Linux distributions prohibits testing our exercises on this platform - that is, your mileage may vary. Those who use a Linux host must be able to access ExFAT partitions using the appropriate kernel or FUSE modules.
  • Networking: Wireless 802.11 B, G, or N
  • Hardware:
    • USB 2.0 or higher port(s) (Note: Some endpoint protection software prevents the use of USB devices = test your system with a USB drive before class to ensure you can load the course data)
    • 200 gigabyte host system hard-drive minimum
    • ~80 gigabytes of free space on your system hard drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)


Install the following prior to the beginning of the course:


  • Bring/install any other forensic tools you feel could be useful (Maltego, NetWitness, etc.). For the final challenge at the end of the course, you can use any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, etc., you are free to use them.
  • Although SANS is not responsible for the security of your personal effects, you might want to consider bringing a laptop lock.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Incident response team members who are expanding their investigative scope from endpoint systems to the network.
  • Law enforcement officers, federal agents, and detectives who want to become network forensic subject-matter experts.
  • Information security managers who need to understand network forensics in order to manage risk, convey information security implications, prepare for potential litigation-related issues, and manage investigative teams.
  • Network defenders who are taking on added investigative and/or incident response workloads.
  • Information technology professionals who want to learn how network investigations take place.
  • Network engineers who are proactively orienting their networks to best meet investigative requirements.
  • Information technology lawyers and paralegals who want a formal education in network forensics and investigations.
  • Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security.
  • Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensic and incident response tools prebuilt into the environment, including network forensic tools added just for this course.
  • A Virtual Machine running an appliance-like installation of the Logstash parsing engine, including ElasticSearch storage backend and the Kibana frontend with dashboard interfaces designed specifically to provide efficient and effective interaction with NetFlow and typical log data used in Network Forensics.
  • Realistic case data to examine during class from multiple sources, including:
    • Network captures in pcap format.
    • NetFlow data.
    • Web proxy, firewall, and intrusion detection system logs.
    • Network service logs.
  • 64GB USB disk loaded with case examples, tools, and documentation.
  • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations.
  • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping.
  • Reverse engineer custom network protocols to identify attackers' command-and-control abilities and actions.
  • Decrypt captured SSL traffic to identify attackers' actions and what data they extracted from the victim.
  • Use data from typical network protocols to increase the fidelity of the investigation's findings.
  • Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture.
  • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation.
  • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past.
  • Learn how attackers leverage man-in-the-middle tools to intercept seemingly secure communications.
  • Examine proprietary network protocols to determine what actions occurred on the endpoint systems.
  • Analyze wireless network traffic to find evidence of malicious activity.
  • Use visualization tools and techniques to distill vast, complex data sources into management-friendly reports.
  • Modify configuration on typical network devices, such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation.
  • Apply the knowledge you acquire during the week in a full-day capstone exercise, modeled after real-world nation-state intrusions.

"I feel like I have won the lottery with the wealth of information from this week! Very relevant and applicable. I have already started using in our environments with results." - Charlie H.

"This is an incredible curriculum. This class NEEDED to happen and I am glad it did." - Peter Steinmann

"Cutting edge - puts me ahead in the job market." - Anonymous

"Very good real-world material." - Jason Lawrence

"Great resource. Only true network forensics course I know of." - Jeremy Robbins

"If you are into disk/memory forensics, you will need this, too!" - Wouter Jansen

"This class is immediately applicable to my work environment." - Thomas Heffron

"No FLUFF - focused and targeted learning!" - Jackie Stokes

"Awesome! Best SANS course I have taken!" - Jim Horvath

"Although FOR572 is a network forensics class, it gets exactly right what most incident response courses get wrong. Instead of focusing on specific exploits and malware that quickly become outdated, 'Advanced Network Forensics' taught me about the full range of evidence sources available and how to effectively mine them for clues. Even more importantly, FOR572 taught me how to use different evidence sources to fill in missing gaps. This is critical, as most environments or incidents will not have every type of evidence available. A large scale APT breach will not have full packet capture available for what could be over a year of attacker activity, but making effective use of network log files can fill in those gaps. It also dove into advanced topics like analyzing unknown protocols, which is an important skill when dealing with the ever-evolving landscape of malware and odd but legitimate applications. Finally, the network forensics capstone investigation is a small but realistic simulation of an APT breach. Having to perform a realistic investigation under the pressure of limited in-class hours felt much like the pressures of investigating a live incident under the pressure of stopping ongoing data theft. It is an excellent class, and I would definitely recommend it to anyone wanting to bring their IR skills to the next level." - Alexander Bond, Mandiant

"The SANS Institute is currently the leader in the commercial IR and computer forensic training market. They have a large number of quality courses." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014

"SANS Institute has many valuable assets - Phil Hagen is one of them." - Anonymous

"Loving the detailed and mutli-layered labs. I have been doing the walkthroughs for time sake but will revisit in depth later." - Anonymous

"FOR572 - next step in developing top notch incident response and network analysis professionals." - Tom L.

"Phil shared an example with pastesite.com extracting cached content and identifying and extracting a GZIP file. These practical analysis examples I think are extremely valuable." - Anonymous

"Material is directly relevant to what our analysts are doing daily. Highly useful." - Tom L.

Author Statement

When I first became interested in computer and network security in the mid-1990s, the idea of 'attacking' another computer network was a concept still firmly in science fiction. Today, commercial, governmental, military, and intelligence entities have robust, integrated information security processes. Within the forensic community, developments have shown us the agility we need to remain effective in the face of dynamic adversaries. Disk-based forensic practices will remain the keystone of digital forensics for the foreseeable future - after all, events ultimately occur on endpoints. Memory forensics has formalized how we address the components of a compromised system that avoid the disk.

We created FOR572: Advanced Network Forensics and Analysis to address the next domain of digital forensics. Many enterprises have grown to the scale that identifying which endpoints to examine is a significant challenge and the network has become its own medium for incident response and investigation. Our ability to use evidence from all kinds of network devices, as well as from captured network data itself will be critical to our success in addressing threats today and tomorrow. From low-grade 'script kiddie' attacks to long-term, strategic state-sponsored espionage activity, the network is one of the few common elements found throughout the lifecycle of an incident. FOR572 will provide you with the tools and methods to conduct network investigations within environments of all sizes, using scenarios developed from real-world cases. The course will provide you with valuable knowledge you will be able to use the first day back on the job, and with methodologies that will help address the next generations of adversaries' capabilities.

- Phil Hagen

We wrote FOR572 as the class we wish we had when we were entering the field of network forensics and investigations - a class that not only provides background when needed, but is primarily tailored toward finding evil by using multiple data sources and performing a full-scope investigation. I am confident this course provides the most up-to-date training covering topics both old and new, based on real-life experiences and investigations. When I started my career in computer security, the term 'advanced persistent threat' was unknown, yet I had personally recovered terabytes of data obtained from both commercial and government networks. The biggest cybersecurity threat in the news was the latest worm that would propagate through unsuspecting systems and cause more of a nuisance than actual destruction. What became known as the Russian Business Network was not even around yet. Network security monitoring was still in its infancy, with very little formal documentation or best practices. Most of what was available was geared toward system administrators. But the Internet has continued to expand, we have all become more interconnected, and the threat against our networks continues to grow.

- Mat Oldham

Listen to Phil discuss "IT'S ALIVE!!! Investigating with Network-based Evidence" in this SANS webcast that every DFIR professional should listen to.