Network Forensics

IPv6
This module covers IPv6 architecture, addressing schemes, routing protocols, and packet header structures. Students learn forensic techniques for identifying and analyzing IPv6 traffic, detecting protocol-specific vulnerabilities, and investigating security incidents involving transition mechanisms like NAT64 and 6to4 tunneling. The module includes case studies of real-world IPv6 incidents and investigation methodologies.
 

Advanced Wireshark
Students master Wireshark's advanced capabilities for deep packet inspection and traffic analysis. The module covers creation of sophisticated custom filters for targeted investigations, techniques for decrypting and analyzing encrypted traffic and tunneling protocols, and generation of comprehensive forensic reports. Students learn to efficiently navigate large capture files and extract relevant evidence from complex network traffic.
 

Advanced Networking
This module explores complex network architectures including VLANs, OSPF, EIGRP, and other enterprise routing protocols. Students learn to analyze network topology for potential vulnerabilities and trace security incidents through layered network infrastructure. The module emphasizes understanding how advanced networking concepts impact forensic investigations and evidence collection in enterprise environments.
 

HTTPS
Students learn the structure and challenges of investigating encrypted web traffic. The module covers legitimate decryption techniques for forensic analysis, SSL/TLS session examination using tools like SSL Labs and Wireshark, and methods for detecting and investigating attacks such as man-in-the-middle and SSL stripping. Students develop skills to analyze certificate chains and identify anomalies in secure communications.
 

Wi-Fi
This module covers the 802.11 protocol family and wireless network communication fundamentals. Students learn techniques for capturing and analyzing wireless traffic, investigating WPA3, WPA2, and legacy WEP networks for security breaches, and identifying rogue access points and evil twin attacks. The module emphasizes practical wireless forensics in both corporate and public WiFi environments.
 

TShark
Students master TShark's command-line interface for efficient packet capture and analysis. The module covers advanced filtering techniques, development of scripts to automate forensic workflows, and parsing of network traffic to identify patterns indicative of malicious activity. Students learn to integrate TShark into larger forensic toolchains and perform batch analysis of multiple capture files.
 

Packet Crafting
This module teaches the fundamentals of custom packet creation and manipulation using tools like Scapy and Hping3. Students learn to craft packets for network defense testing and security assessment, probe network security measures, and develop skills to detect and analyze maliciously crafted packets during forensic investigations. The module emphasizes both offensive security testing and defensive forensic analysis perspectives.
 

Email Analysis
Students learn to dissect email structure including headers, body content, and metadata for forensic investigations. The module covers techniques for identifying phishing attempts and spoofed emails, tracking email origins through header analysis, and safely extracting and analyzing artifacts from email attachments. Students develop proficiency in uncovering evidence of email-based attacks and tracing communication patterns.
 

Routers
This module examines the critical role of routers in network traffic flow and evidence collection. Students learn to capture and analyze router logs for forensic evidence, investigate traffic redirection attacks including DNS hijacking and BGP attacks, and examine router configurations for security flaws and indicators of compromise. The module emphasizes extraction of routing tables, access control lists, and network flow data.
 

Suricata
Students learn Suricata's architecture, capabilities, and deployment for network intrusion detection. The module covers installation and configuration of Suricata in monitoring environments, development of custom detection rules for specific threat scenarios, and analysis of Suricata alert logs to uncover forensic evidence. Students gain proficiency in tuning rule sets and correlating IDS alerts with network traffic captures.
 

Cisco
This module focuses on forensic examination of Cisco networking equipment including routers and switches. Students learn to extract configuration data, system logs, and traffic captures from Cisco devices, trace potential security breaches through device configurations, and identify misconfigurations that may indicate compromise. The module covers Cisco-specific logging mechanisms, SNMP data collection, and configuration analysis techniques.
 

Cloud Security
Students learn to conduct network forensics in cloud environments including AWS, Azure, and Google Cloud Platform. The module covers cloud-specific traffic analysis techniques, investigation of virtual network configurations, extraction of cloud service logs, and correlation of evidence across hybrid cloud and on-premises infrastructure. Students develop skills to navigate cloud provider logging mechanisms and analyze software-defined network traffic.
 

DarkNet
This module explores the architecture of DarkNet networks including Tor and I2P, covering their anonymization mechanisms and forensic challenges. Students learn techniques for monitoring and analyzing DarkNet activity, tracing hidden services, and investigating illegal operations conducted through anonymized networks. The module includes case studies of real-world cybercrime investigations involving DarkNet marketplaces and communication channels.
 

Network Attacks
Students study common network attacks including DoS/DDoS, ARP spoofing, and man-in-the-middle attacks. The module covers advanced traffic analysis methods for identifying attack signatures, conducting thorough forensic investigations of network-based attacks, and developing mitigation strategies. Students learn to reconstruct attack timelines, identify attacker infrastructure, and collect evidence suitable for incident response and legal proceedings.