Virginia Tech - Invent the Future
 SANS  - Advanced Network Forensic Analysis - March 7 - 12, 2016 -   Torgersen Hall - Blacksburg, Virginia
 SANS  - Advanced Network Forensic Analysis - March 7 - 12, 2016 -   Torgersen Hall - Blacksburg, Virginia

General Information

Thanks to our sponsors!

IBM CAS Severn logo


FOR572: ADVANCED NETWORK FORENSICS AND ANALYSIS was built from the ground up to cover the most critical skills needed to mount efficient and effective post-incident response investigations. We focus on the knowledge necessary to expand the forensic mindset from residual data on the storage media from a system or device to the transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still has to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Put another way: Bad guys are talking - we'll teach you to listen.

This course covers the tools, technology, and processes required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You will leave this week with a well-stocked toolbox and the knowledge to use it on your first day back on the job. We will cover the full spectrum of network evidence, including high-level NetFlow analysis, low-level pcap exploration, ancillary network log examination, and more. We cover how to leverage existing infrastructure devices that may contain months or years of valuable evidence as well as how to place new collection platforms while an incident is already under way.

Whether you are a consultant responding to a client's site, a law enforcement professional assisting victims of cybercrime and seeking prosecution of those responsible, or an on-staff forensic practitioner, this course offers hands-on experience with real-world scenarios that will help take your work to the next level. Previous SANS SEC curriculum students and other network defenders will benefit from the FOR572 perspective on security operations as they take on more incident response and investigative responsibilities. SANS Forensic alumni from 408 and 508 can take their existing knowledge and apply it directly to the network-based attacks that occur daily. In FOR572, we solve the same caliber of real-world problems without any convenient hard drive or memory images. The hands-on exercises in this class cover a wide range of tools, including the venerable tcpdump and Wireshark for packet capture and analysis; NetworkMiner for artifact extraction; and open-source tools including nfdump, tcpxtract, Logstash, and more. Through all of these exercises, your shell scripting abilities will come in handy to make easy work of ripping through hundreds and thousands of data records.

FOR572 is truly an advanced course - we hit the ground running on day one. Bring your entire bag of skills: forensic techniques and methodologies, networking (from the wire all the way up to user-facing services), Linux shell utilities, and everything in between. They will all benefit you throughout the course material as you FIGHT CRIME. UNRAVEL INCIDENTS…ONE BYTE (OR PACKET) AT A TIME.

Course Topics:

  • Foundational network forensics tools: tcpdump and Wireshark refresher
  • Packet capture applications and data
  • Considerations between disk-based and network-based forensics
    • Network evidence types and sources
    • Network architectural challenges and opportunities for investigators
    • Investigation OPSEC and footprint considerations
  • Network protocol analysis
    • Dynamic Host Configuration Protocol and Domain Name Service
    • Hypertext Transfer Protocol
    • File Transfer Protocol
    • Network Time Protocol
    • Microsoft protocols
    • Simple Mail Transfer Protocol
  • Commercial network forensic tools
  • Automated tools and libraries
  • NetFlow
    • Introduction
    • Collection approaches
    • Open-source NetFlow tools
  • Visualization tools and techniques
  • Wireless networking
    • Capturing wireless traffic
    • Identifying clients susceptible to fake access-point-based MITM attacks
    • Detecting fake access points and the client(s) they attacked
  • Log data to supplement network examinations
    • Syslog
    • Microsoft eventing
    • HTTP server logs
    • Firewall and IDS
    • Log collection, aggregation, and analysis
    • Web proxy server examination
  • Encryption
    • Introduction
    • Man-in-the-middle
    • Secure HTTP/Secure Sockets Layer
    • Encrypted traffic flow analysis
  • Deep packet work
    • Network protocol reverse engineering
    • Payload reconstruction

March 7, 2016
FOR572.1: Off the Disk and Onto the Wire

March 8, 2016
FOR572.2: NetFlow Analysis, Commerical Tools, and Visualization

March 9, 2016
FOR572.3: Network Protocols and Wireless Investigations

March 10, 2016
FOR572.4: Logging, OPSEC, and Footprint

March 11, 2016
FOR572.5: Encryption, Protocol Reversing, and Automation

March 12, 2016
FOR572.6: Network Forensics Capstone Challenge

Who should attend?

  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • SOC Analysts
  • SOC Engineers
  • SOC Managers
  • CND Analysts
  • Individuals working to implement Continuous Diagnostics and Mitigation (CDM), Continuous Security Monitoring (CSM), or Network Security Monitoring (NSM)

Instructor Biography:

Philip Hagen has been working in the information security field since 1998, running the full spectrum including deep technical tasks, management of an entire computer forensic services portfolio, and executive responsibilities.

Currently, Phil is an Evangelist at Red Canary, where engages with current and future customers of Red Canary's managed threat detection service to ensure their use of the service is best aligned for success in the face of existing and future threats.

Phil started his security career while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a communications officer at Beale AFB and the Pentagon. In 2003, Phil shifted to a government contractor, providing technical services for various IT and information security projects. These included systems that demanded 24x7x365 functionality. He later managed a team of 85 computer forensic professionals in the national security sector. He has provided forensic consulting services for law enforcement, government, and commercial clients prior to joining the Red Canary team. Phil is also a certified instructor for the SANS Institute, and is the course lead and co-author of FOR572, Advanced Network Forensics and Analysis.

"Philip's speaking style draw you in and he's very personable. Useful tools and nice tour of technology which I was not previously aware of." Frank J. Quinn

Listen to Phil discuss "IT'S ALIVE!!! Investigating with Network-based Evidence" in this SANS webcast that every DFIR professional should listen to.

Additional Information:
If you wish to receive additional information about this program, please contact Randy Marchany, IT Security Lab, Virginia Tech by e-mail at

 Continuing & Professional Education @ Virginia Tech  

Virginia Tech's Equal Opportunity/Affirmative Action Statement:
For individuals with disabilities: see the registration page