FOR572: Advanced Network Forensics and Analysis

سرفصل ها


  • Web Proxy Server Examination
    • Role of a web proxy
    • Proxy solutions - commercial and open source
    • Squid proxy server
      • Configuration
      • Logging
      • Automated analysis
      • Cache extraction
  • Foundational Network Forensics Tools: tcpdump and Wireshark
    • tcpdump re-introduction
      • pcap file format
      • Berkeley Packet Filter (BPF)
      • Data reduction
      • Useful command-line flags
    • Wireshark re-introduction
      • User interface
      • Display filters
      • Useful features for network forensic analysis
  • Network Evidence Acquisition
    • Three core types: full-packet, Logs, NetFlow
    • Capture devices: switches, taps, Layer 7 sources, NetFlow
    • Planning to capture: Strategies; commercial and home-built platforms
  • Network Architectural Challenges and Opportunities
    • Challenges provided by a network environment
    • Future trends that will affect network forensics
  • Hypertext Transfer Protocol (HTTP): Protocol and Logs
    • Forensic value
    • Request/response dissection
    • Useful HTTP fields
    • Artifact extraction
    • Log formats
    • Analysis methods
  • Domain Name Service (DNS): Protocol and Logs
    • Architecture and core functionality
    • Tunneling
    • Fast flux and domain name generation algorithms (DGAs)
    • Logging methods
    • Amplification attacks
  • Firewall, Intrusion Detection System, and Network Security Monitoring Logs
    • Firewalls
      • Families of firewall solutions
      • Additional features
      • Syntax and log formats
    • Intrusion Detection Systems
      • Rules and signatures
      • Families of IDS and NSM solutions
      • Bro NSM
        • Basics and use cases
        • Logging
  • Logging Protocol and Aggregation
    • Syslog
      • Dual role: server and protocol
      • Source and collection platforms
      • Event dissection
      • rsyslog configuration
    • Microsoft Eventing
      • History and capabilities
      • Eventing 6.0
        • Architecture
        • Analysis mode
    • Log Data Collection, Aggregation, and Analysis
      • Benefits of aggregation: scale, scope, independent validation, efficiency
      • Known weaknesses and mitigations
      • Evaluating a comprehensive log aggregation platform
  • ELK Stack and the SOF-ELK Platform
    • Basics and pros/cons of the ELK stack
    • SOF-ELK
      • Inputs
      • Log-centric dashboards
  • NetFlow Collection and Analysis
    • Origins and evolution
    • NetFlow v5 and v9 protocols
    • Architectural components
    • NetFlow artifacts useful for examining encrypted traffic
  • Open-Source Flow Tools
    • Using open-source tool sets to examine NetFlow data
      • SiLK
      • nfcapd, nfpcapd, and nfdump
      • SOF-ELK: NetFlow ingestion and dashboards
  • File Transfer Protocol (FTP)
    • History and current use
    • Shortcomings in today's networks
    • Capture and analysis
  • Microsoft Protocols
    • Architecture and capture positioning
    • Exchange/Outlook
    • SMB v1, v2, and v3
    • Sharepoint and internal web sites
  • Simple Mail Transfer Protocol (SMTP)
    • Lifecycle of an email message
    • Adaptations and extensions
  • Commercial Network Forensics
    • Trade-offs between commercial and open-source solutions
    • Common commercial platforms that you may encounter
    • Using existing platforms and tools in a client environment
  • Wireless Network Forensics
    • Translating analysis of wired networks to the wireless domain
    • Device modes of operation
    • Capture methodologies: Hardware and Software
    • Useful protocol fields
    • Inherent weaknesses
    • Typical attack methodologies based on protection mechanisms
  • Automated Tools and Libraries
    • Common tools that can facilitate large-scale analysis and repeatable workflows
    • Libraries that can be linked to custom tools and solutions
    • Chaining tools together effectively
  • Full-Packet Hunting with Moloch
    • Moloch basics and architecture
    • Limitations in practical use
    • Session awareness, filtering, typical forensic use cases
  • Encoding, Encryption, and SSL
    • Encoding algorithms
    • Encryption algorithms
      • Symmetric
      • Asymmetric
    • Profiling SSL connection with useful negotiation fields
    • Analytic mitigation
    • Perfect forward secrecy
  • Man-in-the-Middle
    • Methods to accomplish
    • Benevolent uses
    • Common MITM tools
  • Network Protocol Reverse Engineering
    • Using known protocol fields to dissect unknown underlying protocols
    • Pattern recognition for common encoding algorithms
    • Addressing undocumented binary protocols
    • What to do after breaking the protocol
  • Investigation OPSEC and Threat Intel
    • Operational Security
      • Basic analysis can tip off attackers
      • How to mitigate risk without compromising quality
    • Intelligence
      • Plan to share smartly
      • Protect intelligence to mitigate risks
  • Network Forensic Case
    • Analysis using only network-based evidence
      • Determine the original source of an advanced attacker's compromise
      • Identify the attacker's actions while in the victim's environment
      • Confirm what data the attacker stole from the victim
    • Reporting
      • Present executive-level summaries of your findings at the end of the day-long lab
      • Document and provide low-level technical backup for findings
      • Establish and present a timeline of the attacker's activities
      • Time permitting, provide recommendations on how the victim can prevent, detect, or mitigate a repeat compromise by the same or another similarly advanced attacker

 

 


برای ثبت‌نام، لطفاً هزینه دوره یا دوره‌های مورد نظر را به شماره حساب 2177395039000 نزد بانک ملی مرکزی بابلسر به نام معاونت پژوهش و فناوری دانشگاه مازندران واریز نموده و ضمن تکمیل فرم زیر، اسکن فیش واریزی را در قسمت مربوطه بارگزاری نموده یا حضوراً به دفتر مرکزی ، واقع در ساختمان مرکز تخصصی آپا تحویل نمایید.