On This Page

Network Forensics, Black Hat Asia Edition

LMG Security | March 24-25


Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing network transactions, identifying covert tunnels, reconstructing and carving files from packet captures, and correlating the evidence to build a solid case.

Network Forensics will teach you how to follow the attacker's footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, virtual forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

Who Should Take this Course

  • Information security professionals with some background in hacker exploits, penetration testing, and incident response.
  • Incident Response Team Members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases.
  • Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.
  • Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics.
  • Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations.
  • Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or investigate individuals that are considered technically savvy.

Student Requirements

Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What Students Should Bring

Students must bring a laptop with at least 2GB of RAM, a DVD drive, a USB port, and the latest version of VMWare Workstation or Player pre-installed and licensed (evaluation licenses are available from VMWares web site).

What Students Will Be Provided With

  • Lab workbook.
  • Textbook, "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012).
  • DVD/USBs containing lab exercises.


Jonathan Ham specializes in large-scale enterprise security issues, from policy and procedure, to scalable prevention, detection, and response techniques. He's been commissioned to teach NCIS investigators how to use Snort, performed packet analysis from a facility more than 2000 feet underground, taught intrusion analysis to the NSA, and chartered and trained the CIRT for one of the largest U.S. civilian Federal agencies. Jonathan has helped his clients achieve greater success for over 15 years. He is a Certified Instructor with the SANS Institute, and the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012).