Section 1: Introduction to Forensics Analysis

Logistics and Open-Source Tool Recommendations

Network Forensics Challenges – Nomenclature and Terminology

• Overview and history of Network Forensics Analysis

• Answering the critical incident response questions

• Sample Six step Network Forensics Analysis Methodology

Section 2: Recap: Collecting the Data – Data Capture

Forensic Profile Construction

Data Collection

• Configuring Wireshark – Standard Captures vs. Stealth and Silent Collection of Data

• New types of capture filters – Offset and String-Matching

• WiFi data collection challenges

• Bluetooth capture features

Section 3: Identifying and Analyzing Indicators of Compromise

Analyzing Conversations and Activities for Indicators of Compromise (IOC)

• Analyzing Conversations and Activities using the Expert Systems to determine unusual activity

• Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to recognize suspicious traffic

Forensic Diagramming – A Picture is worth 1024 Words

What’s Normal vs. Abnormal – The Role of Baseline Files

• Building a Baseline Library – Where do I find Samples?

Recognizing IOCs of Intrusions

• Forensic Analysis of an Intrusion

• Scouting the Target – Network Reconnaissance and Scanning Tools

• Recognizing Scanning Signatures of standard scanning tools – NMAP, Nessus, Retina, and others

Bot, Botnets – Command and Control Traffic

• Recognizing Bots and Botnet activity – the key IOC’s

• Identifying, tracking, and reassembling Command and Control Traffic

Section 4: Introduction to Forensics Analysis of Multimedia Protocols – Voice, Video, T.38 and T.120 over IP

Introduction – Overview & Terminology

• Multimedia Protocols, standards, and hardware

Analyzer Placement & Configuration

• Where to collect the Data and Wireshark Multimedia Specific Menus

Overview of Multimedia Protocols

• H.323, SIP, MGCP / SCCP, Voice and Video Codec(s)

• T.38 Fax over IP and T.120 Conference over IP

Multimedia Reassembly and Playback

Indicators of Compromise – Multimedia Vulnerabilities & Exploits

Section 5: Introduction to Forensics Analysis of Wireless (WiFi) Traffic

Introduction – Overview & Terminology

• WiFi Protocols and Standards

• 802.11a / b/ g/ n/ ac

• Hardware – Antennas & Access Points

Analyzer Placement & Configuration

• Where to collect the Data and Wireshark WiFi Specific Menus

WiFi Communication – Service Sets

• BSSID, ESSID, and IBSS / Adhoc

WiFi MAC Layer

• Finding a Service Set and connecting to a Service Set

• Authentication / Association

• Moving Between Service Sets

• Disconnection from Service Sets

SoHo / Internet of Things (IoT) Technologies

• 802.15 Bluetooth, 802.16 WiMAX, Home RF, ZigBee, Infrared, ZWave and RFID

Indicators of Compromise – WiFi Exploitation – Security Vulnerabilities & Exploits

• Rogue Devices

• Man-in-the-Middle

• Malware / Ransomware

• Denial of Service (DoS / DDoS) Attacks

• Bots / Botnets

Section 6: They Hacked Me – Network Forensics Analysis – Intrusions, Exploits, Etc…

Overview & Terminology

Identifying Target Networks Vulnerabilities

• Scanning & Reconnaissance

• Tools, techniques, and scanning tool identification with Wireshark

You Can Trust Me – Social Engineering

Exploiting the Target – Layer 2 (Physical & DLC Layers) Exploits

• Driver & Device Exploits

• Man-in-the-Middle

• MAC / ARP Floods

Exploiting the Target – Layer 3 (Network Layer) Exploits

• IPv4 Header and Option Exploits

• IPv6 Tunnel Exploits

• ICMPv4/v6 Exploits

• IPX SAP Exploits

Exploiting the Target – Layer 4 (Transport Layer) Exploits

• Exploiting TCP

• Header & Options, Resets, and Flags

• Exploiting SCTP

• Firewall & Intrusion Detection System (IDS) Exploits

Exploiting the Target – Layer 5-7 (Application) Exploits

• Drive-by-Downloads

• Ransomware, Crimeware, and Malware – Worms & Virus’s

• Fake Login’s & Password Hijacks

• Overflow’s

• Internet Exploits

Attacks

• Bots, Botnets, Bot Herders

• Denial of Service (DoS / DDoS)

Detecting, Analyzing, and Reconstructing Suspicions Activates

• Baselines & Sample Libraries

• Color Rules, Filtering & Pattern recognition

Section 7: They Encrypted their traffic – now what? – Forensics Analysis of Encryption Protocols

• Secure Socket Layer (SSL / Transport Layer Security (TLSv1-3)

• Wired Equivalency Protocol (WEP), WiFi Protected Access (WPA / WPA2)

• VPN and Tunneling Protocols

• Security Vulnerabilities & Exploits

• Analyzing Encrypted Traffic

Section 8: Alternative Forensic Information – an Introduction to Open-Source Intelligence (OSINT)

Overview and Terminology

• OSINT vs. HUMINT, GEOINT, FININT, SCOMINT, and CTI

Building an OSINT Profile – Collection of Information

• Using Wireshark and Other Direct Capture Tools to Collect OSINT

• Collecting and Evaluating Image and Exif data

• Credentials and User name

• Social Media Mapping

• Business Data Collection

Crypto-currency and OSINT

Email Enumeration

Video and OCR Information

Putting it all Together – Reporting

Where do we go from here?

• Wireshark 0 – TCP/IP Networking Fundamentals Using Wireshark

• Wireshark 1 – TCP/IP Troubleshooting & Network Optimization Using Wireshark

• Wireshark 2 – Masterclass – Advanced Network & Security Analysis

• Wireshark 3 – Network Forensics Analysis

• Wireshark 4 – Mobile Device Forensics Analysis

• Wireshark 5 – Cloud and Internet of Things (IoT) Advanced Network Analysis

• Wireshark 6 – VoIP Advanced Network Analysis

• Wireshark 7 – WiFi Advanced Network Analysis

• Wireshark 8 – SCADA and ICS Advanced Network Analysis

• Wireshark 9 – Wireshark Command Line Tools