Upskilling Training

Network Forensics

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

Our Network Forensics service is designed to equip cybersecurity professionals and IT teams with the skills and knowledge to conduct in-depth investigations, analyse network traffic, and uncover potential security breaches. Our service focuses on empowering your team with advanced techniques and methodologies to gather critical digital evidence, understand attack vectors, and reconstruct the sequence of events surrounding a cybersecurity incident.


Duration 4 days

Participants will able to learn

  • How to extract files from network packet captures and, how to analyse these files for.
  • How to use NetFlow data to identify relevant past network occurrences.
  • How to include log data into a comprehensive analytic process, filling knowledge gaps.
  • How attackers leverage man-in-the-middle tools to intercept seemingly secure communications.

Who Should Attend?

All employees who want to know how to detect, investigate, repair, and recover the compromised systems at the end points of the organization with data to be collected over the network. Especially for:

  • Information Security Professionals
  • SOC Analysts
  • Incident Response Team Members
  • Blue Team Members

Course Syllabus

    Basic Network Forensics Tools:


    • pcap file format
    • Berkeley Packet Filter (BPF)
    • Data reduction
    • Useful command-line parameters


    • User interface
    • Display filters
    • Useful features for network forensic analysis

    Network Evidence Acquisition

  • full-packet capture
  • Logs
  • NetFlow

    Capture devices:

  • Switches
  • taps
  • Layer 7 sources
  • NetFlow

    Hypertext Transfer Protocol (HTTP)

  • Request/response dissection
  • Useful HTTP fields
  • HTTP tracking cookies
  • Log formats
  • Expanded mod_forensic logging

    Domain Name Service (DNS):

  • Tunnelling
  • Logging methods

    Firewall, Intrusion Detection System, and Network Security Monitoring Logs

  • Firewalls
    • Families of firewall solutions

    • Syntax and log formats

      Intrusion Detection Systems (IDS) and Network Security Monitoring (NSM) Platforms

    • Rules and signatures
    • Families of IDS and NSM solutions
    • Zeek NSM
    • Basics and use cases
    • Logging
    • Signature engine

    Logging Protocol and Aggregation

  • Syslog
  • Microsoft Eventing

    Log Data Collection, Aggregation, and Analysis

  • SOF-ELK Platform
  • Basics and pros/cons of the Elastic stack

    NetFlow Collection and Analysis

  • NetFlow
  • NetFlow artefacts useful for examining encrypted traffic
  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data

    • SiLK
    • nfcapd, nfpcapd, and nfdump
    • SOF-ELK: NetFlow ingestion and dashboards


  • Encoding algorithms
  • Encryption algorithms
  • Symmetric & Asymmetric
  • Profiling SSL/TLS connections with useful negotiation fields


  • Malicious uses
  • Common MITM tools
  • Artefacts of common MITM techniques

    Network Protocol Reverse Engineering

  • Using known protocol fields to dissect unknown underlying protocols

Threat Intel


This is an advanced course. A solid knowledge of attack techniques, networking, malware investigations, are prerequisites for attending this course.

  • Fundamental understanding of computer networks, OSI (TCP/IP), DNS, HTTPS, SMTP, etc. knowledge
  • Understanding of fundamental information security concepts
  • Knowledge of networking devices and security solutions: firewalls, antivirus, and endpoint security applications, Switches, Routers
  • Basic knowledge of Linux and Windows command line