Course Description
Network Forensics and Investigation I teaches students to differentiate between normal and abnormal
network traffic, understand how packets flow through a network, and attribute conversations and actions
taken over a network segment to specific hosts or users. This course focuses on research, filtering, and
comparative analysis to identify and attribute different types of activity. Students will learn to follow
conversations across a wide range of protocols and through redirection, as well as how to develop custom filters for non-dissected protocols.
Learning Objectives
Successful completion of this course will enable students to:
- Create a baseline of the protocols, hosts, and interactions in a network environment
- Reconstruct event timelines and accurately correlate, or distinguish between, event threads
- Identify and extract network artifacts for further forensic analysis
- Compare observed network traffic to expected topology
- Research and analyze unknown (non-dissected) protocols
- Track web activity at the user or session level via HTTP header analytics
Identify anomalous network traffic using a combination of in-depth packet analysis and higher-level statistical analysis