FOR572 Network Forensics Preview: DHCP and DNS, 'The Correlators'

  • Webcast Aired Thursday, 12 Dec 2013 1:00PM EST (12 Dec 2013 18:00 UTC)
  • Speaker: Philip Hagen

In this webcast, we'll dive into two network protocols that can provide tremendous benefit to an investigator or analyst. We've cherry-picked key material directly from the upcoming course \FOR572: Advanced Network Forensics and Analysis" to demonstrate actionable steps you can use to improve your investigative processes.

DHCP provides a vital link between network activity and the devices responsible for it. When closely pursuing targets of an investigation - often insider threats or other malicious actors with physical access to the environment - DHCP traffic and logs can provide a quick and direct path to the malicious actor's desk.

On the other hand, DNS traffic and logs provide a "one-stop-shop" to assess network activity across an enterprise that typically uses dozens or hundreds of different protocols and services. Analysts often reap huge benefits by cross-referencing DNS activity with NetFlow/IPFIX data, HTTP proxy logs, or any other evidence containing hostnames or IP addresses. With effective correlation, they can establish a clear understanding of malicious activity - even when the underlying data is encrypted or otherwise inaccessible.

FOR572 covers even more network protocols and investigative methodologies, and this webcast will be a primer that gives you big benefits - today.