TT2 – The Art of Network Based Forensics – Going Beyond Packet Data

Trainers: Meling Mudin (Founder, & Lee Chin Sheng (Independent Network Security Researcher)
Capacity: 25 pax
Duration: 2 days
Cost: (per pax) MYR3599 (early bird) / MYR3899 (non early-bird)


Network forensics is defined as “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.” In other words, it involves capture, preservation, analysis and presentation of network traffic. This training however, goes beyond that.

This 2-days theory and practical training session will provide the attendees insight into network forensics. This includes the principle, knowledge and tools that are needed to be studied and acquired before adopting to the best practices of network forensics. Attendees will also learn how to use network forensics to compliment host-based forensics in order to answer questions that can’t be provided by host-based forensics. But, this is not all. Since we are going beyond packet data, we will combine practical network forensics technique with log analysis. This involves collection, analysis and correlation of logs from network devices such as firewalls, routers and proxy servers with the acquired network packet data. By merging the analysis of log files and packet data, we hope that forensics investigators will have a clearer picture of a network event.

This comprehensive workshop will be taught in a step-by-step scenario-based format. Students will be guided on how to perform network forensics investigation from start to finish.

Who should attend / Target audience

- Systems/security administrator
- Network administrator
- Network security analyst
- Digital forensics investigator
- Incident handler
- Law enforcement officers

Training materials

- Home brew network tap (Xtap)
- VMWare image
- Printed copies of training slides and materials
- Certificate of attendance

Laptop Requirements

- Windows XP/Vista, OSX or Linux
- Working installation of VMPlayer (or VMWare Workstation) or VMWare
- Administrator/root access on the laptop
- Enough RAM (~2Gb) and free hard disk (~4Gb) for running VMware
- OpenOffice or Microsoft Powerpoint for presentation
- NOTE: Only VMWare image will be provided, so please ensure that you
have working installation of VMWare for your respective
operating systems

Table of Contents
Chapter 1. Introduction to Network-based Forensics
1.1 Timezone, most critical component in Network-based Forensics
1.2 Laws & Regulations – CALEA, Wiretap Act

Chapter 2. The Network-based Forensics
2.1 Methods, strategies and approaches of network-based forensics

Chapter 3. Network Forensics Toolkit
3.1 Using and utilizing HeX
3.2 Tools for evidence acquisition and analysis
3.3 Tools for analysis and reporting

Chapter 4. Collection and Management of Network-based Evidence
4.1 Understanding, prioritizing and strategizing evidence collection
4.2 Gathering evidence from network traffic
4.3 Gathering evidence from network devices
4.4 Best practices

Chapter 5. Network-based Forensics Analysis
5.1 Understanding, prioritizing and strategizing evidence analysis
5.2 Packet Analysis
5.3 Application Protocol Analysis
5.4 Traffic Content Analysis
5.5 Network Devices Log Analysis

Chapter 6. Anti Network Forensics Techniques

Chapter 7. Active Tracing
7.1 Tools for performing active discovery

Additional Materials and Topics
A. TCP/IP Revisited
B. List of Network Analysis Tools
C. List of Log Analysis Tools
D. Major Log Files Format and Samples


Three cases modeled after real-world examples will be presented to the students. Students will work in a group to investigate and analyze evidence related to a computer crime and present their findings to the class.

About the trainers
Meling Mudin

Mel has been in the computer security industry for the past five years. He was previously a system architect at SCAN Associates where he was responsible for developing the Malaysian government’s largest network security monitoring center. He has also been involved with the organization of HITBSecConf conference for the last three years, specifically, in running its popular Capture the Flag hacking competition. In the past five years in the industry, he has been involved in various aspects of computer security including penetration testing, software and product development, training, network defense, system administration, and as well as being a freelance consultant. He currently runs a start-up company that develops vulnerability and patch management software.

Lee Chin Sheng

C.S.Lee is the Founder and CEO of DefCraft – a network security consultancy based in Malaysia. Lee has been in the network security industry for the past 6 years and was previously CEH trainer on wireless hacking and pentesting. Recently his focus has been one the art of detection and network Security Monitoring (NSM) concepts. He is an NSM practitioner who believes in using Open Source tools to complete his task. He has writen papers on dissecting and perform packet analysis and has been involved in projects involving vulnerability assessment, network incident handling and response as well as network based forensics.