On This Page

Network Forensics: Continuous Monitoring and Instrumentation

LMG Security | July 30-August 2


An employee clicks on a link in a phishing email. A worm propagates through your network, undetected. A keystroke logger listens quietly, exporting passwords once a week. How can you make sure you're not the next organization in the papers? Better firewall rules? A newer generation IDS? Faster updating for A/V signatures? We all know none of these is the right solution by itself. The future of defense is practical network monitoring and forensics.

From the author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012) comes Network Forensics: Continuous Monitoring and Instrumentation. This fast-paced, intensive class includes traffic and flow record analysis, cloud-based network forensics, next-generation firewall, DLP and SIEM analysis, wireless and mobile network forensics, and malware network behavior analysis all packed into a dense 4 days, with hands-on technical labs throughout the class.

Catch an intellectual property theft in action based on flow record analysis alone then, peek inside the packet capture and carve out the sensitive proprietary data. Analyze a real-world cloud-based attack and track down the source of stolen administrator credentials. Correlate evidence from a DLP solution, firewall, and domain controller, and use it to find a malicious insider engaged in database exfiltration. Detect an APT using scalable network forensics correlation techniques, and trace the attack back to the first infected "patient zero" on your network.

This class is newly updated to include scalable network monitoring architectures, large-scale analysis techniques, strategies for centralizing network-based evidence using SIEM systems, and automatic correlation of many network- and endpoint-based evidence sources.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence in a scalable way. Network Forensics will teach you to how to follow the attacker's footprints and efficiently analyze evidence from the network environment. Every student will receive a fully-loaded, bootable forensics workstation, designed by network forensics experts and distributed exclusively to Network Forensics students.

This class is for advanced students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

Who Should Take this Course

  • Information security professionals with some background in hacker exploits, penetration testing, and incident response
  • Incident Response Team Members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases
  • Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.
  • Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics
  • Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations
  • Anyone with a firm technical background who might be asked to investigate a data breach incident, intrusion case, or investigates individuals that are considered technical savvy

Student Requirements

Students must have basic familiarity with the Linux/UNIX command-line, TCP/IP, and networking concepts and terminology.

What Students Should Bring

Students must bring a laptop with at least 4GB of RAM, a DVD drive, a USB port, and the latest version of VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare's web site).

What Students Will Be Provided With

  • Lab workbook
  • Textbook, "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012).
  • DVD/USBs containing lab exercises


Sherri Davidoff is the CEO of LMG Security and the co-author of "Network Forensics: Tracking Hackers Through Cyberspace" (Prentice Hall, 2012). She has fifteen years of experience as a cyber security professional, specializing in digital forensics, penetration testing and security awareness training. Sherri has authored courses for the SANS Institute and Black Hat, and conducted onsite security training for the Department of Defense, Google, Comcast, Los Alamos National Laboratories, and many other organizations. She is a faculty member at the Pacific Coast Banking School and adjunct faculty at the University of Montana, where she teaches cybersecurity classes. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.