FOR400 – Fundamentals of Network Forensics

FOR400 – Fundamentals of Network Forensics

FOR400 – Fundamentals of Network Forensics expands on acquired networking knowledge and extends in to the computer forensic mindset. Students will learn about common devices used in computer networks and where useful data may reside. Students will also learn how to collect that data for analysis using hacker methodology.

Additionally, the course covers information related to common exploits involved in Windows server systems and common virus exploits. Students will learn how to recognize exploit traffic, and the difference between attacks and poor network configuration.

Target Audience

Professionals looking to either broaden their cyber skills or begin developing a skill set within the network defense community


Provide an understanding of devices used to set up computer networks, where useful data may reside within the network, and how the data is stored and retrieved to acquire analysis


  • Students will learn to understand and demonstrate the use of a standard methodology for exploitation, the concepts of various software threats and the techniques expected of a professional hacker.
  • Students will identify protocols helpful when performing network forensics. Students will gain an understanding of filters and how they can help identify specific packets of interest. Students will setup Ethernet ports for capturing data and analyze traffic using Snort to identify malicious activity.
  • Students will learn how to edit Snort configuration files to use local rules, edit rules files and write custom rules to detect malicious activity, command shells and malware. Students analyze traffic using Snort as an intrusion detection system. Students will learn to recognize anomalous activity in web, FTP authentication and access logs in Linux and Windows.
  • Students will learn how to recognize anomalous activity in Linux and Windows. Student will understand how to detect evidence of an attack using incident response toolkits as well as native tools to view process lists, established connections, scheduled jobs, and account activity.
  • Students will demonstrate the ability to identify attacker IP addresses, exfiltrated data, malware, method of compromise, accounts used, and document observed activity in an executive summary and timeline of events.


Estimated Course Length: 24 hours