To register for a Live Online Training, please send an email to email@example.com with:
- Training Dates
- Name of Student(s)
- Company Name
- Invoice Address
We will then send out a payment link.
Your registration is complete after your payment has been received.
Instructor: Erik Hjelmvik
Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.
A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.
We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!
Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.
Part 1 : Theory and Practice using Open Source Tools (4 hours)
- Investigating spear phishing email with malware attachment
- Reassembling exfiltrated data
- Identifying C2 traffic in decrypted HTTPS traffic
- Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy
- Using NetFlow with Argus
- Tracking lateral movement with stolen AD credentials
- Searching application layer data with Wireshark, tshark, tcpflow and ngrep
Part 2 : Theory and Practice using Open Source Tools (4 hours)
- Threat Hunting with Security Onion
- Leveraging passive DNS to track C2 domains
- Decoding proprietary C2 traffic from a RAT
- Extracting files from PCAP with NetworkMiner
- Sandbox execution of malware and behavioral analysis
- Supply chain attacks
- Extracting files from SMB and SMB2 traffic
- Analyzing exfiltration by an APT style attacker
- Investigating a spear phishing attack with credential theft
Part 3 : Advanced Network Forensics using Netresec Tools (4 hours)
- Theory: HTTP Cookies
- Analyzing Cobalt Strike beacons
- Investigation of botnet infection (TrickBot)
- Extracting and verifying X.509 certificates from network traffic
Part 4 : Advanced Network Forensics using Netresec Tools (4 hours)
- Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”
- Investigating a brute force attack on a web CMS
- Analyzing exploitation of a web server
- Tracking commands sent to web shells
- Tracking lateral movement via Linux servers
- Using JA3 to track TLS encrypted malware traffic
- Live TLS decryption lab
Upcoming Training Events
To register for a Live Online Training, please send an email to firstname.lastname@example.org with the training dates, your name and invoice address.
We will then send out a payment link. Your registration is complete after your payment has been received.
October 25-28, 2021. Live Online Training "PCAP in the Morning US".
Duration: Four half-days
Times: 9:00 AM to 1:00 PM EDT (US Eastern Daylight Time / UTC-4)
Price: $1,000 USD per student
- Monday, October 25, 2021 9:00 AM to 1:00 PM (EDT) : Network Forensics Training, Part 1
- Tuesday, October 26, 2021 9:00 AM to 1:00 PM (EDT) : Network Forensics Training, Part 2
- Wednesday, October 27, 2021 9:00 AM to 1:00 PM (EDT) : Network Forensics Training, Part 3
- Thursday, October 28, 2021 9:00 AM to 1:00 PM (EDT) : Network Forensics Training, Part 4
February 14-17, 2022. Live Online Training "PCAP in the Morning EU".
Time: 8:30 AM to 12:30 PM CET (Central European Time / UTC+1)
Price: € 850 EUR per student (€ 765 EUR if registering before January 14). VAT not included.
- Monday, February 14, 2022 8:30 AM to 12:30 PM (CET) : Network Forensics Training, Part 1
- Tuesday, February 15, 2022 8:30 AM to 12:30 PM (CET) : Network Forensics Training, Part 2
- Wednesday, February 16, 2022 8:30 AM to 12:30 PM (CET) : Network Forensics Training, Part 3
- Thursday, February 17, 2022 8:30 AM to 12:30 PM (CET) : Network Forensics Training, Part 4
Previous Training Events
- September 20-23, 2021. Live Online Training "PCAP in the Morning EU". Location: Online.
- September 9-10, 2021. Network Forensics for Incident Response at SEC-T. Location: Münchenbryggeriet, Stockholm, Sweden.
- May 3-6, 2021. Live Online Training "PCAP in the Morning". Location: Online.
- March 15-16, 2021. Network Forensics for Incident Response at TROOPERS online training marathon. Location: Online
- October 21-22, 2019. Network ForensICS Training at CS3STHLM. Location: Stockholm, Sweden.
- September 17-18, 2019. Network Forensics Training at SEC-T. Location: Münchenbryggeriet, Stockholm, Sweden.
- March 18-19, 2019. Network Forensics Training at Troopers IT-Security Conference. Location: Print Media Academy, Heidelberg, Germany.
- October 22-23, 2018. Network ForensICS Training at CS3STHLM. Custom class with SCADA/ICS focus. Location: Stockholm, Sweden.
- September 11-12, 2018. Network Forensics Workshop at SEC-T. Location: Nalen, Stockholm, Sweden.
- October 23-24, 2017. Network Forensics Training at CS3Sthlm. Location: Nalen, Stockholm, Sweden.
- September 12-13, 2017. Network Forensics Training at 44CON. Location: etc.venues Hatton Garden, London, United Kingdom.
- March 20-21, 2017. Network Forensics Training at Troopers IT-Security Conference. Location: Print Media Academy, Heidelberg, Germany.
- March 14-15, 2016. Network Forensics Training at Troopers IT-Security Conference. Location: Print Media Academy, Heidelberg, Germany.
- October 20, 2015. Pre-conference training at 4SICS. Location: Stockholm Sweden.
- September 15-16, 2015. Location: Nalen, Stockholm, Sweden.
Would you like to get notified about future training events?
Simply send an email to email@example.com letting us know that you would to receive an email when we have scheduled a new training event.
On Site Training (EU only)
Would you like us to visit your facility to do an on-site training?
If you’re in the European Union, then that can be arranged.
Please contact us for further details.
Live Online Training (worldwide)
Would you like us to provide our training to your team as a live online training with high quality audio/video and real-time screen sharing?
Please contact us for further details.
The live online training is also available as part of our Network Forensics Bundle.
Q: Who should attend?
A: The training is built for blue teams, incident responders and SOC analysts, but can also be relevant for law enforcement investigators.
Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools or lack basic knowledge in TCP/IP communications.
Read what others are saying about this class
- “Took this training in May, highly recommend it! Fair warning though, any work you do after this without PCAPs will feel empty 😂”
Tweet by Greg Lesnewich (2021)
- “I was fortunate to take this training at last years CS3STHLM SCADA Security Conference. @netresec Erik is a great instructor, the course materials and his tools are excellent. Highly recommended!”
Tweet by @grumpy4n6 (2019)
- “Great class! I took it in 2017. More than recommended!”
Tweet by @warmstart_eu (2018)
- “I had the chance to follow a 2-day training in Network Forensics by Erik Hjelmvik. I’m glad I did! [...] When I returned home after the training, I tried out this technique on my own web server. I definitely found some interesting stuff: stuff that I wouldn’t have found going through my log files by hand.”
Judith van Stegeren in Rinse and Repeat: threat hunting with CapLoader and Wireshark (2017).
- “Der Vortrag überzeugt einerseits mit einem spannenden Inhalt und andererseits mit einem höchst interessanten Vortragenden, Erik Hjelmvik.”
Sophie Kohl in Ja, ich bin ein TROOPER (2016).
Attendees will need to bring a computer that fits the following specs:
- A PC running any 64 bit Windows OS (can be a Virtual Machine)
- At least 16GB RAM
- At least 100 GB free disk space
- VirtualBox (64 bit) installed
(VMWare will not be supported in the training)
A VirtualBox VM will be provided on USB flash drives at the beginning of On-Site trainings.
In Live Virtual Trainings, however, we deliver the training VM as a download one week ahead of the training.
Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization.
You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode.
You might also need to turn off "Intel Trusted Execution" in BIOS.
One way to verify that your laptop supports 64-bit virtualization is to download the
SecurityOnion ISO and see if it boots up in VirtualBox.
Please read our Terms and Conditions,
which also include details regarding our training cancellation policy.