Instructor: Erik Hjelmvik
Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.
Our two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files.
The scenarios in the labs are primarily focused at network forensics for incident response,
but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.
Day 1 - Theory and Practice using Open Source Tools
- Theory: Ethernet signaling
- Hardware: Network TAPs and Monitor ports / SPAN ports
- Sniffers: Recommendations for high-performance packet interception
- PCAP analysis: Extracting evidence and indicators of compromise using open source tools
- Defeating Big Data: Techniques for working with large data sets
- Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
- Challenge Day 1: Find the needle in our haystack and win a honorable prize!
Day 2 - Advanced Network Forensics using Netresec Tools
- NetworkMiner Professional: Learning to leverage the features available in the Pro version
- Port Independent Protocol Identification (PIPI)
- DNS Whitelisting
- NetworkMinerCLI: Automating content extraction with our command line tool
- CapLoader: Searching, sorting and drilling through large PCAP data sets
- Super fast flow transcript (aka Follow TCP/UDP stream)
- Filter PCAP files and export frames to other tools
- Keyword search
- Challenge Day 2
The scenario used in the class involves a new progressive Bank,
which provides exchange services for Bitcoin and Litecoin.
We've set up clients and a server for this bank using REAL physical machines and a REAL internet connection.
All traffic on the network is captured to PCAP files by a SecurityOnion sensor.
In the scenario this bank gets into lots of trouble with hackers and malware, such as:
- Defacement of the Bank's web server (see zone-h mirror)
- Man-on-the-Side (MOTS) attack (much like NSA/GCHQ's QUANTUM INSERT)
- Backdoor infection through trojanized software
- Spear phishing
- Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
- Infection with real malware (Nemucod, Miuref / Boaxxe and more)
Class attendees will learn to analyze captured network traffic from these events in order to:
- Investigate web server compromises and defacements
- Detect Man-on-the-Side attacks
- Identify covert backdoors
- Reassemble incoming emails and attachments
- Detect and decode RAT/backdoor traffic
- Detect malicious traffic without having to rely on blacklists, AV or third-party detection services
Professional software included FREE of charge
Each attendee will be provided with a free personal single user license of NetworkMiner Professional
These licenses will be valid for six months from the first training day.
Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.
Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.
Attendees will need to bring a laptop that fits the following specs:
- A PC running any 64 bit Windows OS (can be a Virtual Machine)
- At least 4GB RAM
- At least 40 GB free disk space
- VirtualBox (64 bit) installed
(VMWare will not be supported in the training)
A VirtualBox VM will be provided on USB flash drives at the beginning of the training.
Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization.
You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode.
You might also need to turn off "Intel Trusted Execution" in BIOS.
One way to verify that your laptop supports 64-bit virtualization is to download the
SecurityOnion ISO and see if it boots up in VirtualBox.
Previous Training Events
- October 23-24, 2017. Network Forensics Training at CS3Sthlm.
Location: Nalen, Stockholm, Sweden.
- September 12-13, 2017. Network Forensics Training at 44CON.
Location: etc.venues Hatton Garden, London, United Kingdom.
- March 20-21, 2017. Network Forensics Training at Troopers IT-Security Conference.
Location: Print Media Academy, Heidelberg, Germany.
- March 14-15, 2016. Network Forensics Training at Troopers IT-Security Conference.
Location: Print Media Academy, Heidelberg, Germany.
- October 20, 2015. Pre-conference training at 4SICS, Stockholm Sweden.
- September 15-16, 2015. Location: Nalen, Stockholm, Sweden.
Would you like to get notified about future training events?
Simply send an email to email@example.com letting us know that you would to receive an email when we have scheduled a new training event.
Read what others are saying about this class
- “I had the chance to follow a 2-day training in Network Forensics by Erik Hjelmvik. I’m glad I did! [...] When I returned home after the training, I tried out this technique on my own web server. I definitely found some interesting stuff: stuff that I wouldn’t have found going through my log files by hand.”
Judith van Stegeren in Rinse and Repeat: threat hunting with CapLoader and Wireshark (2017).
- “Der Vortrag überzeugt einerseits mit einem spannenden Inhalt und andererseits mit einem höchst interessanten Vortragenden, Erik Hjelmvik.”
Sophie Kohl in Ja, ich bin ein TROOPER (2016).