FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Provided by SANS
GNFA Certification
Qualification level
GNFA Certification
Study type
Distance learning
View Website
View Website

About the course

Take your system-based forensic knowledge onto the wire. Incorporate network evidence into your investigations, provide better findings, and get the job done faster.

It is exceedingly rare to work any forensic investigation that doesn't have a network component. Endpoint forensics will always be a critical and foundational skill for this career, but overlooking their network communications is akin to ignoring security camera footage of a crime as it was committed. Whether you handle an intrusion incident, data theft case, employee misuse scenario, or are engaged in proactive adversary discovery, the network often provides an unparalleled view of the incident. Its evidence can provide the proof necessary to show intent, uncover attackers that have been active for months or longer, or may even prove useful in definitively proving a crime actually occurred.

FOR572: ADVANCED NETWORK FORENSICS: THREAT HUNTING, ANALYSIS AND INCIDENT RESPONSE was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.


Course Syllabus

FOR572.1: Off the Disk and Onto the Wire


Focus: Although many concepts of network forensics are similar to those of any other digital forensic investigation, the network presents many nuances that require special attention. Today you will learn how to apply what you already know about digital forensics and incident response to network-based evidence. You will also become acclimated to the basic tools of the trade.

Network data can be preserved, but only if captured directly from the wire. Whether tactical or strategic, packet capture methods are quite basic. You will re-acquaint yourself with tcpdump and Wireshark, the most common tools used to capture and analyze network packets, respectively. However, since long-term full-packet capture is still uncommon in most environments, many artifacts that can tell us about what happened on the wire in the past come from devices that manage network functions. You will learn about what kinds of devices can provide valuable evidence and at what level of granularity. We will walk through collecting evidence from one of the most common sources of network evidence - a web proxy server - then go hands-on to find and extract stolen data from the proxy yourself.

The Linux SIFT virtual machine, which has been specifically loaded with a set of network forensic tools, will be your primary toolkit for the week.


  • Installing Linux SIFT Workstation and Review Network Forensic Tool Additions
  • tcpdump and Wireshark Hands-On
  • Carve Exfiltrated Data

CPE/CMU Credits: 6


  • Web Proxy Server Examination
    • Role of a web proxy
    • Proxy solutions - commercial and open source
    • Squid proxy server
      • Configuration
      • Logging
      • Automated analysis
      • Cache extraction
  • Foundational Network Forensics Tools: tcpdump and Wireshark
    • tcpdump re-introduction
      • pcap file format
      • Berkeley Packet Filter (BPF)
      • Data reduction
      • Useful command-line flags
    • Wireshark re-introduction
      • User interface
      • Display filters
      • Useful features for network forensic analysis
  • Network Evidence Acquisition
    • Three core types: full-packet, Logs, NetFlow
    • Capture devices: switches, taps, Layer 7 sources, NetFlow
    • Planning to capture: Strategies; commercial and home-built platforms
  • Network Architectural Challenges and Opportunities
    • Challenges provided by a network environment
    • Future trends that will affect network forensics

FOR572.2: Core Protocols & Log Aggregation/Analysis


FOCUS: There are thousands of protocols that may be in use within a production network environment. We will cover several of these that are most likely to benefit the forensicator in typical casework, as well as several that help demonstrate analysis methods useful when facing new, undocumented, or proprietary protocols. By learning the "typical" behaviors of these protocols, we can more readily identify anomalies that may suggest an adversary is misusing that protocol for nefarious purposes. These protocol artifacts and anomalies can be profiled through direct traffic analysis as well as through the log evidence created by systems that have control or purview of that traffic. While this affords the investigator with vast opportunities to analyze the network traffic, efficient analysis of large quantities of source data generally requires tools and methods designed to scale.

Knowing how protocols appear in their normal use is critical if investigators are expected to identify anomalous behaviors. By looking at some of the more commonly-used network communication protocols, we will specifically focus on the ways in which they can be easily misused by an adversary or a malware author.

While no one course could ever exhaustively cover the dizzying list of protocols used in a typical network environment, you will build the skills needed to learn whatever new protocols may come your way. The ability to "learn how to learn" is critical, as new protocols are being developed every day. Advanced adversaries develop their own protocols, too, and as you will see later in this class, successfully understanding and counteracting an adversary's undocumented protocol is a similar process to learning those you will see in this section.

Log data is one of the unsung heroes in the realm of network forensics. While the near-perfect knowledge that comes with full-packet capture seems ideal, it suffers from several shortfalls. It is often unavailable, as many organizations have not yet deployed or cannot deploy comprehensive collection systems. When they are in use, network capture systems quickly amass a huge volume of data, which is often difficult to process effectively and must be maintained in a rolling buffer covering just a few days or weeks.

Understanding log data and how it can guide the investigative process is an important network forensicator skill. Examining network-centric logs can also fill gaps left by an incomplete or nonexistent network capture.

In this section, you will learn various logging mechanisms available to both endpoint and network transport devices. You will also learn how to consolidate log data from multiple sources, providing a broad corpus of evidence in one location. As the volume of log data increases, so does the need to consider automated analytic tools. You'll use the SOF-ELK platform for post-incident log aggregation and analysis, bringing quick and decisive insight to a compromise investigation.


  • HTTP Profiling
  • Firewall and Bro NSM Analysis
  • Log Aggregation and Analysis with SOF-ELK

CPE/CMU Credits: 6


  • Hypertext Transfer Protocol (HTTP): Protocol and Logs
    • Forensic value
    • Request/response dissection
    • Useful HTTP fields
    • Artifact extraction
    • Log formats
    • Analysis methods
  • Domain Name Service (DNS): Protocol and Logs
    • Architecture and core functionality
    • Tunneling
    • Fast flux and domain name generation algorithms (DGAs)
    • Logging methods
    • Amplification attacks
  • Firewall, Intrusion Detection System, and Network Security Monitoring Logs
    • Firewalls
      • Families of firewall solutions
      • Additional features
      • Syntax and log formats
    • Intrusion Detection Systems
      • Rules and signatures
      • Families of IDS and NSM solutions
      • Bro NSM
        • Basics and use cases
        • Logging
  • Logging Protocol and Aggregation
    • Syslog
      • Dual role: server and protocol
      • Source and collection platforms
      • Event dissection
      • rsyslog configuration
    • Microsoft Eventing
      • History and capabilities
      • Eventing 6.0
        • Architecture
        • Analysis mode
    • Log Data Collection, Aggregation, and Analysis
      • Benefits of aggregation: scale, scope, independent validation, efficiency
      • Known weaknesses and mitigations
      • Evaluating a comprehensive log aggregation platform
  • ELK Stack and the SOF-ELK Platform
    • Basics and pros/cons of the ELK stack
    • SOF-ELK
      • Inputs
      • Log-centric dashboards

FOR572.3: NetFlow and File Access Protocols


Focus: Network connection logging, commonly called NetFlow, may be the single most valuable source of evidence in network investigations. Many organizations have extensive archives of flow data due to its minimal storage requirements. Since NetFlow does not capture any content of the transmission, many legal issues with long-term retention are mitigated. Even without content, NetFlow provides an excellent means of guiding an investigation and characterizing an adversary's activities from pre-attack through operations. Whether within a victim's environment or for data exfiltration, adversaries must move their quarry around through the use of various file access protocols. By knowing some of the more common file access and transfer protocols, a forensicator can quickly identify an attacker's theft actions.

Just as even a fuzzy photo can provide valuable leads in a traditional investigation, NetFlow data can provide a network forensicator with extremely high-value intelligence about network communications. The key to extracting that value is in knowing how to use NetFlow evidence to drive more detailed investigative activities.

NetFlow is also an ideal technology to use in baselining typical behavior of an environment, and therefore, deviations from that baseline that may suggest malicious actions. Threat hunting teams can also use NetFlow to identify prior connections consistent with newly-identified suspicious endpoints or traffic patterns.

In this section, you will learn the contents of typical NetFlow protocols, as well as common collection architectures and analysis methods. You'll also learn how to distill full-packet collections to NetFlow records for quick initial analysis before diving into more cumbersome pcap files.

You'll also examine the File Transfer Protocol, including how to reconstruct specific files from an FTP session. While FTP is commonly used for data exfiltration, it is also an opportunity to refine protocol analysis techniques, due to its multiple-stream nature.

Lastly, you'll explore a variety of the network protocols unique to a Microsoft Windows or Windows-compatible environment. Attackers frequently use these protocols to "live off the land" within the victim's environment. By using existing and expected protocols, the adversary can hide in plain sight and avoid deploying malware that could tip off the investigators to their presence and actions.


  • Visual NetFlow Analysis with SOF-ELK
  • Tracking Lateral Movement with NetFlow
  • SMB Session Analysis and Reconstruction

CPE/CMU Credits: 6


  • NetFlow Collection and Analysis
    • Origins and evolution
    • NetFlow v5 and v9 protocols
    • Architectural components
    • NetFlow artifacts useful for examining encrypted traffic
  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data
      • SiLK
      • nfcapd, nfpcapd, and nfdump
      • SOF-ELK: NetFlow ingestion and dashboards
  • File Transfer Protocol (FTP)
    • History and current use
    • Shortcomings in today's networks
    • Capture and analysis
  • Microsoft Protocols
    • Architecture and capture positioning
    • Exchange/Outlook
    • SMB v1, v2, and v3
    • Sharepoint and internal web sites

FOR572.4: Commercial Tools, Wireless, and Full-Packet Hunting


Focus: Commercial tools are a mainstay in the network forensicator's toolkit. We'll explore the various roles that commercial tools generally fill, as well as how they can be best integrate to an investigative workflow. With the runaway adoption of wireless networking, investigators must also be prepared to address the unique challenges this technology brings to the table. However, regardless of the protocol being examined or budget used to perform the analysis, having a means of exploring full-packet capture is a necessity, and having a toolkit to perform this at scale is critical.

Commercial tools hold clear advantages in some situations a forensicator may typically encounter. Most commonly, this centers on scalability. Many open-source tools are designed for tactical or small-scale use. Whether using them for large-scale deployments or for specific niche functionalities, these tools can immediately address many investigative needs. You'll look at the typical areas where commercial tools in the network forensic realm tend to focus, and discuss the value each may provide for your organizational requirements or those of your clients.

Additionally, we will address the forensic aspects of wireless networking. We will cover similarities with and differences from traditional wired network examinations, as well as what interesting artifacts can be recovered from wireless protocol fields. Some inherent weaknesses of wireless deployments will also be covered, including how attackers can leverage those weaknesses during an attack, and how they can be detected.

Finally, we will look at methods that can improve at-scale hunting from full-packet captures, even without commercial tooling. We will look at the open-source Moloch platform and how it can be used in live and forensic workflows. You'll receive a ready-to-use Moloch virtual machine and load source data from an incident we previously investigated, seeking ground truth from the previously-captured full-packet data.


  • NetworkMiner
  • Using Command-Line Tools for Analysis
  • Network Forensic Analysis Using Moloch

CPE/CMU Credits: 6


  • Simple Mail Transfer Protocol (SMTP)
    • Lifecycle of an email message
    • Adaptations and extensions
  • Commercial Network Forensics
    • Trade-offs between commercial and open-source solutions
    • Common commercial platforms that you may encounter
    • Using existing platforms and tools in a client environment
  • Wireless Network Forensics
    • Translating analysis of wired networks to the wireless domain
    • Device modes of operation
    • Capture methodologies: Hardware and Software
    • Useful protocol fields
    • Inherent weaknesses
    • Typical attack methodologies based on protection mechanisms
  • Automated Tools and Libraries
    • Common tools that can facilitate large-scale analysis and repeatable workflows
    • Libraries that can be linked to custom tools and solutions
    • Chaining tools together effectively
  • Full-Packet Hunting with Moloch
    • Moloch basics and architecture
    • Limitations in practical use
    • Session awareness, filtering, typical forensic use cases

FOR572.5: Encryption, Protocol Reversing, OPSEC, and Intel


Focus: Advancements in common technology have made it easier to be a bad guy and harder for us to track them. Strong encryption methods are readily available and custom protocols are easy to develop and employ. Despite this, there are still weaknesses even in the most advanced adversaries' methods. As we learn what the attackers have deliberately hidden from us, we must operate carefully to avoid tipping our hats regarding the investigative progress - or the attacker can quickly pivot, nullifying our progress.

Encryption is frequently cited as the most significant hurdle to effective network forensics - and for good reason. When properly implemented, encryption can be a brick wall in between an investigator and critical answers. However, technical and implementation weaknesses can be used to our advantage. Even in the absence of these weaknesses, the right analytic approach to encrypted network traffic can still yield valuable information about the content. We will discuss the basics of encryption and how to approach it during an investigation. The section will also cover flow analysis to characterize encrypted conversations.

We will also discuss undocumented protocols and the reuse of existing protocols for nefarious purposes. Specifically, we will address how to derive intelligence value with limited or nonexistent knowledge of the carrier protocol.

Finally, we will look at how common missteps can provide the attacker with clear insight to the forensicator's progress. This often leads to the attacker changing their tactics, confounding the investigator and even erasing all the progress made to that point. We'll address best practices on conducting investigations and in a compromised environment and ways to share hard-earned intelligence that mitigate that mitigate the risks involved.


  • SSL Inspection
  • Identifying Undocumented Protocol Features
  • Mini-Comprehensive Investigation: Using NetFlow to Identify Data Loss Session, Using pcap to Reverse Protocol, Extracting Original Files, Decrypting SSL communications

CPE/CMU Credits: 6


  • Encoding, Encryption, and SSL
    • Encoding algorithms
    • Encryption algorithms
      • Symmetric
      • Asymmetric
    • Profiling SSL connection with useful negotiation fields
    • Analytic mitigation
    • Perfect forward secrecy
  • Man-in-the-Middle
    • Methods to accomplish
    • Benevolent uses
    • Common MITM tools
  • Network Protocol Reverse Engineering
    • Using known protocol fields to dissect unknown underlying protocols
    • Pattern recognition for common encoding algorithms
    • Addressing undocumented binary protocols
    • What to do after breaking the protocol
  • Investigation OPSEC and Threat Intel
    • Operational Security
      • Basic analysis can tip off attackers
      • How to mitigate risk without compromising quality
    • Intelligence
      • Plan to share smartly
      • Protect intelligence to mitigate risks

FOR572.6: Network Forensics Capstone Challenge


Focus: This section will combine all of what you have learned prior to and during this week. In groups, you will examine network evidence from a real-world compromise by an advanced attacker. Each group will independently analyze data, form and develop hypotheses, and present findings. No evidence from endpoint systems is available - only the network and its infrastructure.

Students will test their understanding of network evidence and their ability to articulate and support hypotheses through presentations made to the instructor and class. The audience will include senior-level decision makers, so all presentations must include executive summaries as well as technical details. Time permitting, students should also include recommended steps that could help to prevent, detect, or mitigate a repeat compromise.


  • Capstone Lab

CPE/CMU Credits: 6


  • Network Forensic Case
    • Analysis using only network-based evidence
      • Determine the original source of an advanced attacker's compromise
      • Identify the attacker's actions while in the victim's environment
      • Confirm what data the attacker stole from the victim
    • Reporting
      • Present executive-level summaries of your findings at the end of the day-long lab
      • Document and provide low-level technical backup for findings
      • Establish and present a timeline of the attacker's activities
      • Time permitting, provide recommendations on how the victim can prevent, detect, or mitigate a repeat compromise by the same or another similarly advanced attacker

Who Should Attend

  • Incident response team members and forensicators who are expanding their investigative scope from endpoint systems to the network
  • Hunt team members who proactively seek adversaries already in their network environments through leveraging new intelligence against previously-collected evidence
  • Security Operations Center (SOC) personnel and information security practitioners who support hunt operations, seeking to identify attackers in their network environments
  • Network defenders who are taking on added investigative and/or incident response workloads
  • Law enforcement officers, federal agents, and detectives who want to become network forensic subject matter experts
  • Information security managers who need to understand network forensics in order to manage risk, convey information security implications, and manage investigative teams
  • Network engineers who are proactively orienting their networks to best meet investigative requirements
  • Information technology professionals who want to learn how network investigations take place
  • Anyone interested in computer network intrusions and investigations who has a solid background in computer forensics, information systems, and information security

What You Will Receive

  • Custom distribution of the Linux SANS SIFT Workstation Virtual Machine with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course
  • SOF-ELK Virtual Machine - a publicly available appliance running the ELK stack and the course author's custom set of configurations and dashboards. The VM is preconfigured to ingest syslog logs, HTTPD logs, and NetFlow, and will be used during the class to help students wade through the hundreds of millions of records they are likely to encounter during a typical investigation
  • Moloch Virtual Machine - a standalone VM running the free Moloch application. Moloch ingests and indexes live network data or pcap files, providing a platform that makes full-packet analysis attainable.
  • Realistic case data to examine during class, from multiple sources including:
    • NetFlow data
    • Web proxy, firewall, and intrusion detection system logs
    • Network captures in pcap format
    • Network service logs
  • USB disk loaded with case examples, tools, and documentation

You Will Be Able To

  • Extract files from network packet captures and proxy cache files, allowing follow-on malware analysis or definitive data loss determinations
  • Use historical NetFlow data to identify relevant past network occurrences, allowing accurate incident scoping
  • Reverse engineer custom network protocols to identify an attacker's command-and-control abilities and actions
  • Decrypt captured SSL traffic to identify attackers' actions and what data they extracted from the victim
  • Use data from typical network protocols to increase the fidelity of the investigation's findings
  • Identify opportunities to collect additional evidence based on the existing systems and platforms within a network architecture
  • Examine traffic using common network protocols to identify patterns of activity or specific actions that warrant further investigation
  • Incorporate log data into a comprehensive analytic process, filling knowledge gaps that may be far in the past
  • Learn how attackers leverage man-in-the-middle tools to intercept seemingly secure communications
  • Examine proprietary network protocols to determine what actions occurred on the endpoint systems
  • Analyze wireless network traffic to find evidence of malicious activity
  • Learn how to modify configuration on typical network devices such as firewalls and intrusion detection systems to increase the intelligence value of their logs and alerts during an investigation
  • Apply the knowledge you acquire during the week in a full-day capstone lab, modeled after real-world nation-state intrusions

Contact the course provider: