Packet Analysis

Wireless Traffic Analysis

Network Tunneling

Flow Record Analysis

Web Proxies

Network Intrusion Detection/Prevention Systems


STANDARD FORMAT:Four (4) days of six (6) hours of instruction per day (including breaks for lunch and coffee).


  • “Network Forensics” textbook (Prentice Hall, 2012)
  • Lab Workbook (7 hands-on labs with in-depth solutions)
  • DVDs or USBs containing lab evidence
  • Virtual (VMware) forensic analysis workstations custom designed for lab use


An employee clicks on a link in a phishing email. A worm propagates through your network, undetected. A keystroke logger listens quietly, exporting passwords once a week. How can you make sure you’re not the next organization in the papers? Better firewall rules? A newer generation IDS? Faster updating for A/V signatures? We all know none of these is the right solution by itself. The future of defense is practical network monitoring and forensics.

From the author of “Network Forensics: Tracking Hackers Through Cyberspace” (Prentice Hall, 2012) comes Network Forensics: Continuous Monitoring and Instrumentation. This fast-paced, intensive class includes traffic and flow record analysis, cloud-based network forensics, next-generation firewall, DLP and SIEM analysis, wireless and mobile network forensics, and malware network behavior analysis all packed into a dense 4 days, with hands-on technical labs throughout the class.

Catch an intellectual property theft in action based on flow record analysis alone then, peek inside the packet capture and carve out the sensitive proprietary data. Analyze a real-world cloud-based attack and track down the source of stolen administrator credentials. Correlate evidence from a DLP solution, firewall, and domain controller, and use it to fitnd a malicious insider engaged in database exfiltration. Detect an APT using scalable network forensics correlation techniques, and trace the attack back to the first infected “patient zero” on your network.

This class is newly updated to include scalable network monitoring architectures, large-scale analysis techniques, strategies for centralizing network-based evidence using SIEM systems, and automatic correlation of many network- and endpoint-based evidence sources.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence in a scalable way. Network Forensics will teach you to how to follow the attacker’s footprints and efficiently analyze evidence from the network environment. Every student will receive a fully-loaded, bootable forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.


This class may potentially fill CPE requirements for CISSP certification.


Each module of this course consists of instructor lecture, followed by instructor-led hands-on labs that are designed to explore the tools and techniques discussed. Additional reading materials are supplied by the accompanying Prentice Hall text (by the authors of the class). Students will be provided with a virtual machine to use as a network forensic workstation.


Information security professionals with some background in hacker exploits, penetration testing, and incident response Incident

Response team members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.

Network and computer forensic professionals who want to solidify and expand their understanding of network forensic and incident response related topics

Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations

Anyone with a firm technical background who might be asked to investigate a data breach incident or intrusion case
Individuals who are considered technically savvy