Lethal Network Forensics
LETHAL NETWORK FORENSICS focuses on expanding your forensic mindset to include transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still had to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Whether your threats include nation-state actors, insider threats, script kiddies, or other online miscreants, the knowledge acquired in this course ensure you are prepared to face such dynamic adversaries in a rapidly changing environment.
This course provides you with the skill set necessary to investigate a compromised network environment or design solutions for an existing environment that will minimize the time and cost necessary to investigate a potential compromise in the future. We use hands-on exercises derived from real-world attacks to ensure you are prepared to address the threats that every Internet-facing network faces daily. Because the ephemeral nature of network-based data means that raw packet captures are not always available for analysis, we also discuss how to glean insight into past network activities from the variety of log data created by various infrastructure devices that operate on a typical network.
The material covers low-level packet capture approaches and techniques to use high-level data for scoping a compromise, identifying attack traffic, and routing out network-based data theft. Students use a wide range of tools, including tcpdump, Wireshark, nfdump, Logstash, hex editors, visualization tools, and more.
Students receive the Linux-based SIFT Workstation, with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course. Using only open-source tools, we show how you can effectively conduct network investigations covering a wide range of attack profiles.
|Section 1: Day 1|
On day one, we will start with a brief review on how the network forensic discipline has evolved from its roots in the broader field of computer forensics. Students will learn about the different approaches necessary when investigating a live environment, including how to prevent introducing unintended data to the environment and how to avoid tipping off an attacker about the investigation. We will cover the means of acquiring network data and the formats used to store it, as well as how developers can extend tools' functionality and build custom features using standardized software libraries. We will also conduct a step-by-step review of an incident using evidence only from a web proxy server. Finally, we will address the use of NetFlow data, historically used for network management and optimization, as a means to quickly establish a high-level understanding of network incidents.
CPE/CMU Credits: 6
Foundational Network Forensics Tools: tcpdump and Wireshark
Network Evidence Sources and Types
Packet Capture Applications and Data
Automated Tools and Libraries
Web Proxy Server Examination
Introduction to NetFlow
NetFlow Collection Approaches
Open-Source Flow Tools
|Section 2: Day 2|
During the second day, we will cover how to use visualization tools to provide overviews of large data sets and quickly identify leads for further investigation. We will also identify how HTTP server logs can provide key insights to an attacker's actions on a compromised server or as they conduct reconnaissance against their targets. Log data from firewalls and intrusion detection systems can also be leveraged because these devices are so ubiquitous in today's network environments. Given the varied sources and formats of log data, we will also cover how to effectively aggregate and analyze such data in a way that efficiently furthers the investigation. Finally, we will discuss some of the solutions available from the commercial software market that may be present in a victim environment or be worth considering for your own applications.
CPE/CMU Credits: 6
Visualization Techniques and Tools
HTTP Server Logs
Firewall and Intrusion Detection Systems
Log Data Collection, Aggregation, and Analysis
Commercial Network Forensics
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
Your host system can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.
It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.
Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.
MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:
MANDATORY SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):
If you have additional questions about the laptop specifications, please contact email@example.com.