Network Forensics for Law Enforcement
Instructor: Erik Hjelmvik
Erik is the creator of NetworkMiner and an experienced incident handler who has specialized in the field of network forensics.
A hands-on network forensics course that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices. This training also includes lawful intercept data with network traffic obtained from the ISP of a suspect's internet connection, as well as a memory dump and data from an implant on the suspect's PC.
Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.
Training Topics
- Extract emails and attachments from network traffic
- Analyzing network traffic from a Remote Access Trojan (RAT)
- Passive DNS
- Investigating IDS alerts
- PCAP file format theory
- Leveraging sandboxes for behavioral malware analysis
- Extracting file transfers from network traffic
- Investigating phishing attack
- Extracting packets from a memory dump
- Linking artifacts in RAM of suspect's PC to intrusion
- Analyzing lawful intercept traffic from suspect's ISP
- NAT and Carrier-Grade NAT
- Passive asset detection
- Detecting VPN tunnel traffic
- Finding GPS data in network traffic
- Extracting VoIP audio from network traffic
- Extracting VoIP (SIP) instant messaging chats
- Identifying Tor network traffic
- Analyzing decrypted Tor network traffic
- Packet injection and Man-on-the-Side attacks
Tools Covered
- Wireshark
- tshark
- NetworkMiner
- CapLoader
- tcpdump
- tcpflow
- ngrep
- editcap
Target Audience
The Lawful Intercept training is built for digital forensics investigators at European law enforcement organizations. Students must be comfortable using linux command line tools and have a basic understanding of TCP/IP communications.
On Site Training
Would you like us to visit your facility to do on-site training? If youβre in the European Union, then that can be arranged. Please contact us for further details.
Live Online Training
Would you like us to teach our network forensics class as a private live online training exclusively to your team? Please contact us for further details.
Two or Three Days
The Network Forensics for Lawful Intercept training is a two-day class, even though the live online training often is delivered as four half-days. The contents of the training overlaps with the Incident Response version of our network forensics training. We can therefore offer a 3-day combo, covering both Incident Response and Lawful Intercept labs, as an alternative to the standard two-day class.