Network Forensics Training


Visit TROOPERS REGISTRATION to sign up for the class in March. Select either "TROOPERS19 Two Day Training" or "TROOPERS19 All Inclusive" package to register for our two-day Network Forensics training.

Network Forensics class Instructor
Instructor: Erik Hjelmvik

Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.

Our two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored.

Day 1 - Theory and Practice using Open Source Tools

  • Theory: Ethernet signaling
  • Hardware: Network TAPs and Monitor ports / SPAN ports
  • Sniffers: Recommendations for high-performance packet interception
  • PCAP analysis: Extracting evidence and indicators of compromise using open source tools
  • Defeating Big Data: Techniques for working with large data sets
  • Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures
  • Challenge Day 1: Find the needle in our haystack and win a honorable prize!

Day 2 - Advanced Network Forensics using Netresec Tools

  • NetworkMiner Professional: Learning to leverage the features available in the Pro version
    • Port Independent Protocol Identification (PIPI)
    • DNS Whitelisting
  • NetworkMinerCLI: Automating content extraction with our command line tool
  • CapLoader: Searching, sorting and drilling through large PCAP data sets
    • Super fast flow transcript (aka Follow TCP/UDP stream)
    • Filter PCAP files and export frames to other tools
    • Keyword search
  • Challenge Day 2

The Scenario

The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We've set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as:

  • Defacement of the Bank's web server (see zone-h mirror)
  • Man-on-the-Side (MOTS) attack (much like NSA/GCHQ's QUANTUM INSERT)
  • Backdoor infection through trojanized software
  • Spear phishing
  • Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin
  • Infection with real malware (Nemucod, Miuref / Boaxxe and more)

Class attendees will learn to analyze captured network traffic from these events in order to:

  • Investigate web server compromises and defacements
  • Detect Man-on-the-Side attacks
  • Identify covert backdoors
  • Reassemble incoming emails and attachments
  • Detect and decode RAT/backdoor traffic
  • Detect malicious traffic without having to rely on blacklists, AV or third-party detection services

NetworkMiner CapLoader
Professional software included FREE of charge
Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.

Target Audience

Q: Who should attend?
A: Anyone who want to improve their skills at finding evil stuff in full content packet captures.

Q: Who should NOT attend?
A: Those who are afraid of using Linux command line tools.

Training Preparations

Laptop Required
Attendees will need to bring a laptop that fits the following specs:

  • A PC running any 64 bit Windows OS (can be a Virtual Machine)
  • At least 4GB RAM
  • At least 40 GB free disk space
  • VirtualBox (64 bit) installed
    (VMWare will not be supported in the training)
A VirtualBox VM will be provided on USB flash drives at the beginning of the training.

Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as โ€AMD-Vโ€, โ€VT-xโ€ or โ€Hyper-Vโ€ in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off "Intel Trusted Execution" in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Upcoming Training Events

Previous Training Events

Training Notification

Would you like to get notified about future training events? Simply send an email to letting us know that you would to receive an email when we have scheduled a new training event.

On Site Training (EU only)

Would you like us to visit your facility to do an on-site training? If youโ€™re in the European Union, then that can be arranged. Please contact us for further details.

Live Virtual Training (worldwide)

Would you like us to provide our training to your team as a live online training with high quality audio/video and real-time screen sharing? Please contact us for further details.

Read what others are saying about this class

  • โ€œI was fortunate to take this training at last years CS3STHLM SCADA Security Conference. @netresec Erik is a great instructor, the course materials and his tools are excellent. Highly recommended!โ€
    Tweet by @grumpy4n6 (2019)
  • โ€œGreat class! I took it in 2017. More than recommended!โ€
    Tweet by @warmstart_eu (2018)
  • โ€œI had the chance to follow a 2-day training in Network Forensics by Erik Hjelmvik. Iโ€™m glad I did! [...] When I returned home after the training, I tried out this technique on my own web server. I definitely found some interesting stuff: stuff that I wouldnโ€™t have found going through my log files by hand.โ€
    Judith van Stegeren in Rinse and Repeat: threat hunting with CapLoader and Wireshark (2017).
  • โ€œDer Vortrag รผberzeugt einerseits mit einem spannenden Inhalt und andererseits mit einem hรถchst interessanten Vortragenden, Erik Hjelmvik.โ€
    Sophie Kohl in Ja, ich bin ein TROOPER (2016).