Network Forensics Training

Network Forensics class Instructor
Instructor: Erik Hjelmvik

Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.

We provide hands-on network forensics classes, which allow you to deep dive into full-content packet analysis in PCAP files. Our unique PCAP datasets and labs are built using clients with real users, internet-connected servers, malware infections and hacking attacks from red teams as well as actual adversaries. The labs are built to provide an as realistic scenario as possible, which not only contains attacks and other malicious traffic but also incorporates lots of normal background traffic.

Training Material

Attendees will receive a Virtual Machine (VM) that is prepared with the network traffic to be analyzed as well as tools to use in the analysis. They will also receive a PDF with the theory, labs and solutions that are covered in the class.

Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader, which are used in the second half of the training. These licenses will be valid for six months from the first training day.

Network Forensics Classes

We teach the following three network forensics classes:

Network Forensics for Incident Response Network Forensics for Incident Response
The incident response class involves investigation of traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!
Network Forensics for Industrial Control Systems (ICS/OT) Network Forensics for Industrial Control Systems
The ICS/OT class focuses on analysis of ICS traffic and protocols, such as Modbus/TCP, IEC-104, SIMATIC S7 and CIP. This class also covers an attack where access to ICS equipment is gained through lateral movement.
Network Forensics for Law Enforcement Network Forensics for Law Enforcement
Analysis of network traffic obtained from the ISP of a suspect's internet connection, as well as a memory dump and data from an implant on the suspect's PC. Contact us for more details about the law enforcement training.

Upcoming Training Events

We have no classes scheduled at the moment.

Previous Training Events

  • November 18-21, 2024. Live Online Network Forensics Training "PCAP in the Morning Europe"
  • March 25-28, 2024. Live Online Network Forensics Training "PCAP in the Morning US"
  • March 4-7, 2024. Live Online Network Forensics Training "PCAP in the Morning Europe".
  • September 12-13, 2023. Network Forensics for Incident Response at SEC-T. Location: Münchenbryggeriet, Stockholm, Sweden.
  • April 17-20, 2023. Live Online Network Forensics Training "PCAP in the Morning Europe".
  • March 20-23, 2023. Live Online Network Forensics Training "PCAP in the Morning US".
  • September 19-22, 2022. Live Online Training "PCAP in the Morning US".
  • September 13-14, 2022. Network Forensics for Incident Response at SEC-T. Location: Münchenbryggeriet, Stockholm, Sweden.
  • February 14-17, 2022. Live Online Training "PCAP in the Morning EU".
  • October 25-28, 2021. Live Online Training "PCAP in the Morning US".
  • September 20-23, 2021. Live Online Training "PCAP in the Morning EU".
  • September 9-10, 2021. Network Forensics for Incident Response at SEC-T. Location: Münchenbryggeriet, Stockholm, Sweden.
  • May 3-6, 2021. Live Online Training "PCAP in the Morning".
  • March 15-16, 2021. Network Forensics for Incident Response at TROOPERS online training marathon. Location: Online

Older Training Events

The labs in the following classes were built around an older dataset that has now been discontinued.

Training Notification

Would you like to get notified about future training events? Simply send an email to info@netresec.com letting us know that you would like to receive an email when we have scheduled a new training event.

On Site Training (EU only)

Would you like us to visit your facility to do on-site training? If you’re in the European Union, then that can be arranged. Please contact us for further details.

Live Online Training (worldwide)

Would you like us to teach our network forensics class as a private live online training exclusively to your team? Please contact us for further details.

The live online training is also available as part of our Network Forensics Bundle.

Frequently Asked Questions (FAQ)

Q: Who is the class designed for?
A: The network forensics course is built for blue teams, incident responders and SOC analysts, but can also be relevant for law enforcement investigators.

Q: What prerequisites or skills are required to take the class?
A: Students should be familiar with Linux command line tools and have basic TCP/IP knowledge.

Q: Are only Netresec tools, like NetworkMiner and CapLoader, used in the training?
A: No, this class is designed to teach the concept of network forensics rather than being a tool-centric training. NetworkMiner as well as CapLoader are used in some labs, but in others we use tools like Wireshark, tshark, tcpdump, Suricata, tcpflow and ngrep.

Q: Will there be a test?
A: No.

Q: Will I receive a certificate after the training?
A: Yes, active students receive a Certificate of Completion after having completed the training.

Q: Which online resources can I use to prepare for the training?
A: Our blog has lots of writeups and videos showing how NetworkMiner and CapLoader can be used to analyze traffic from DFIR Madness, Cobalt Strike, IcedID and QBot. You can also check out Brad Duncan's tutorials on malware-traffic-analysis.net.

Read what others are saying about this class

  • “An excellent class - highly recommended for all cyber threat analysts!”
    Tweet by Laura Chappell (2023)
  • “Took this training in May, highly recommend it! Fair warning though, any work you do after this without PCAPs will feel empty 😂”
    Tweet by Greg Lesnewich (2021)
  • “I was fortunate to take this training at last years CS3STHLM SCADA Security Conference. @netresec Erik is a great instructor, the course materials and his tools are excellent. Highly recommended!”
    Tweet by Mitch Impey (2019)

Training Preparations

Attendees will need to bring a computer that fits the following specs:

  • A PC running any 64 bit Windows OS (can be a Virtual Machine)
  • At least 16GB RAM
  • At least 100 GB free disk space
  • VirtualBox (64 bit) installed
    (VMWare will not be supported in the training)
  • The training VM will not run on ARM-based computers, such as Apple M1/M2/M3 Macs
A VirtualBox VM will be provided on USB flash drives at the beginning of On-Site trainings. In Live Virtual Trainings, however, we deliver the training VM as a download one week ahead of the training.

Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off "Intel Trusted Execution" in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox.

Cancellation Policy

Please read our Terms and Conditions, which also include details regarding our training cancellation policy.