Certified Network Forensics Examiner

The Certified Network Forensics Examiner 5 day instructor-led course was created when a U.S. Government Agency contracted us to train their team on advanced forensics in computer networks. The C)NFE will take your digital forensic skill set to the next level by navigating through over twenty modules of network forensic topics and providing you with hands-on, practical experience through our lab exercises that walk you through real-world situations that are solved with investigation and recovery of data in networks.

With the skill set of a C)NFE, students can understand exactly what is going on in a network to ensure its proper use by those intrusted with access. Every organization can benefit by employing a C)NFE to audit their network; everyone deserves to know how their resources are being used.

Upon Completion

Students will:

• Have knowledge to perform network forensic examinations.
• Have knowledge to accurately report on their findings from examinations
• Be ready to sit for the C)NFE Exam

Comprised of 20 modules and 9 labs. The C)NFE will enhance your digital forensic competence by adding more advanced network forensics expertise and experience through discussions and practice.

Exam Information

The Certified Network Forensics Examiner certification exam is taken online through Mile2`s Assessment and Certification System (MACS), which is accessible on your mile2.com account. The exam will take 2 hours and consist of 100 multiple choice questions. The cost is $300 USD and must be purchased from the store on Mile2.com.

Mile2 is Accredited by the NSA-CNSS, Approved on Homelands Security NICCS Framework, and is on the FBI’s Tier 1-3 Certification Training Chart.

Modules:

1: Digital Evidence Concepts

• Overview
• Concepts in Digital Evidence
• Section Summary
• Summary

2: Network Evidence Challenges

• Overview
• Challenges Relating to Network Evidence
• Section Summary
• Summary

3: Network Forensics Investigative Methodology

• Overview
• OSCAR Methodology
• Section Summary
• Summary

4: Network-Based Evidence

• Overview
• Sources of Network-Based Evidence
• Section Summary
• Summary

5: Network Principles

• Background
• History
• Functionality
• FIGURE 5-1 The OSI Model
• Functionality
• Encapsulation/De-encapsulation
• FIGURE 5-2 OSI Model Encapsulation
• Encapsulation/De-encapsulation
• FIGURE 5-3 OSI Model peer layer logical channels
• Encapsulation/De-encapsulation
• FIGURE 5-4 OSI Model data names
• Section Summary
• Summary

6: Internet Protocol Suite

• Overview
• Internet Protocol Suite
• Section Summary
• Summary

7: Physical Interception

• Physical Interception
• Section Summary
• Summary

8: Traffic Acquisition Software

• Agenda
• Libpcap and WinPcap
• LIBPCAP
• WINPCAP
• Section Summary
• BPF Language
• Section Summary
• TCPDUMP
• Section Summary
• WIRESHARK
• Section Summary
• TSHARK
• Section Summary
• Summary

9: Live Acquisition

• Agenda
• Common Interfaces
• Section Summary
• Inspection Without Access
• Section Summary
• Strategy
• Section Summary
• Summary

10: Analysis

• Agenda
• Protocol Analysis
• Section Summary
• Section 02
• Packet Analysis
• Section Summary
• Section 03
• Flow Analysis
• Protocol Analysis
• Section Summary
• Section 04
• Higher-Layer Traffic Analysis
• Section Summary
• Summary

11: Layer 2 Protocol

• Agenda
• The IEEE Layer 2 Protocol Series
• Section Summary
• Summary

12: Wireless Access Points

• Agenda
• Wireless Access Points (WAPs)
• Section Summary
• Summary

13: Wireless Capture Traffic and Analysis

• Agenda
• Wireless Traffic Capture and Analysis
• Section Summary
• Summary

14: Wireless Attacks

• Agenda
• Common Attacks
• Section Summary
• Summary

15: NIDS_Snort

• Agenda
• Investigating NIDS/NIPS
• and Functionality
• Section Summary
• NIDS/NIPS Evidence Acquisition
• Section Summary
• Comprehensive Packet Logging
• Section Summary
• Snort
• Section Summary
• Summary

16: Centralized Logging and Syslog

• Agenda
• Sources of Logs
• Section Summary
• Network Log Architecture
• Section Summary
• Collecting and Analyzing Evidence
• Section Summary
• Summary

17: Investigating Network Devices

• Agenda
• Storage Media
• Section Summary
• Switches
• Section Summary
• Routers
• Section Summary
• Firewalls
• Section Summary
• Summary

18: Web Proxies and Encryption

• Agenda
• Web Proxy Functionality
• Section Summary
• Web Proxy Evidence
• Section Summary
• Web Proxy Analysis
• Section Summary
• Encrypted Web Traffic
• Section Summary
• Summary

19: Network Tunneling

• Agenda
• Tunneling for Functionality
• Section Summary
• Tunneling for Confidentiality
• Section Summary
• Covert Tunneling
• Section Summary
• Summary

20: Malware Forensics

• Trends in Malware Evolution
• Section Summary
• Summary

Labs:

1: Working with captured files

• Exercise 1: HTTP.pcap
• Exercise 2: SMB.pcap
• Exercise 3: SIP_RTP.pcap

The rest of this lab's information is proprietary

2: Layer 2 Attacks & Active Evidence Acquisition

• Exercise 1: Analyze the capture of macof.
• Exercise 2: Manipulating the STP root bridge election process
• Exercise 3: Acquiring Evidence
• Exercise 4: Understanding Evidence

The rest of this lab's information is proprietary

3: Preparing for Packet Inspection

• Working with Packet Inspection tools

The rest of this lab's information is proprietary

4: Analyzing Packet Captures

• Exercise 1: Analyze TKIP and CCMP Frames starting from 4-Way Handshake process

The rest of this lab's information is proprietary

5: Case Study: ABC Real Estate

• Scenario Introduction
• Digital Forensic Exercises

The rest of this lab's information is proprietary

6: NIDS/NIPS

• Exercise 1: Use Snort as Packet Sniffer
• Exercise 2: Use Snort as a packet logger
• Exercise 3: Check Snort`s IDS abilities with pre-captured attack pattern files

The rest of this lab's information is proprietary

7: Syslog Exercise

• Using the Syslog in a forensic investigation on a network.

The rest of this lab's information is proprietary

8: Network Device Log

• Accessing the Network Device Log
• Understanding the Network Device Log

The rest of this lab's information is proprietary

9: SSL

• Exercise 1: Decrypting SSL Traffic by using a given Certificate Private Key
• Exercise 2: SSL and Friendly Man-in-the-middle

The rest of this lab's information is proprietary

• C)DFE: Digital Forensics Examiner
• OR Equivalent Experience

The C)NFE course is a Network forensics course teaches people how to perform forensic investigations on networks. We advise that students have a knowledge and skill set of digital forensics equivalent to our C)DFE: Digital Forensics Examiner course. This is the advanced course in our forensics track. Feel free to contact us if you have any questions about this course or how we can accomidate your training needs.

• Forensic Auditors
• IT Auditors
• Law Enforcement
• IT Professionals