FOR572 Advanced Network Forensics and Analysis Preview: DHCP and DNS, \The Correlators""

  • Monday, 08 Sep 2014 4:00AM EDT (08 Sep 2014 08:00 UTC)
  • Speaker: Philip Hagen

In this webcast, we'll dive into two network protocols that can provide tremendous benefit to an investigator or analyst. We've cherry-picked key material directly from the upcoming course \FOR572: Advanced Network Forensics and Analysis" to demonstrate actionable steps you can use to improve your investigative processes. DHCP provides a vital link between network activity and the devices responsible for it. When closely pursuing targets of an investigation - often insider threats or other malicious actors with physical access to the environment - DHCP traffic and logs can provide a quick and direct path to the malicious actor's desk. On the other hand, DNS traffic and logs provide a "one-stop-shop" to assess network activity across an enterprise that typically uses dozens or hundreds of different protocols and services. Analysts often reap huge benefits by cross-referencing DNS activity with NetFlow/IPFIX data, HTTP proxy logs, or any other evidence containing hostnames or IP addresses. With effective correlation, they can establish a clear understanding of malicious activity - even when the underlying data is encrypted or otherwise inaccessible. FOR572 covers even more network protocols and investigative methodologies, and this webcast will be a primer that gives you big benefits - today.