SANS: Lethal Network Forensics

  • Sunday, February 23, 2014 | 9:00 AM – 5:00 PM | West | Room: 3006

  • Monday, February 24, 2014 | 9:00 AM – 5:00 PM | West | Room: 3006

View all Sessions

LETHAL NETWORK FORENSICS focuses on expanding your forensic mindset to include transient communications that occurred in the past or continue to occur. Even if the most skilled remote attacker compromised a system with an undetectable exploit, the system still had to communicate over the network. Without command-and-control and data extraction channels, the value of a compromised computer system drops to almost zero. Whether your threats include nation-state actors, insider threats, script kiddies, or other online miscreants, the knowledge acquired in this course ensure you are prepared to face such dynamic adversaries in a rapidly changing environment.

This course provides you with the skill set necessary to investigate a compromised network environment or design solutions for an existing environment that will minimize the time and cost necessary to investigate a potential compromise in the future. We use hands-on exercises derived from real-world attacks to ensure you are prepared to address the threats that every Internet-facing network faces daily. Because the ephemeral nature of network-based data means that raw packet captures are not always available for analysis, we also discuss how to glean insight into past network activities from the variety of log data created by various infrastructure devices that operate on a typical network.

The material covers low-level packet capture approaches and techniques to use high-level data for scoping a compromise, identifying attack traffic, and routing out network-based data theft. Students use a wide range of tools, including tcpdump, Wireshark, nfdump, Logstash, hex editors, visualization tools, and more.

Students receive the Linux-based SIFT Workstation, with over 500 digital forensics and incident response tools prebuilt into the environment, including network forensic tools added just for this course. Using only open-source tools, we show how you can effectively conduct network investigations covering a wide range of attack profiles.

Laptop Requirements

Your host system can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this this article from Apple to determine 64-bit capability.

Please download and install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.


CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class(Important - Please Read: a 64 bit system processor is mandatory)
RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 6 GB of RAM or higher to get the most out of the course)
Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player
Networking: Wireless 802.11 B, G, or N
• DVD/CD Combo Drive
• USB 2.0 or higher Port(s)
• 200 Gigabyte Host System Hard Drive minimum
• ~80 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)
• The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY FOR572 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

1. Install VMware Workstation 8, VMware Fusion 5.0, or VMware Player 5.0 (higher versions are ok)
2. Download and install 7 Zip
If you have additional questions about the laptop specifications, please contact


This document was retrieved from on Mon, 22 Jul 2019 05:55:27 -0400.