Host Based Network Forensic Analysis

40 Hours / 5-Day

The Spyder Forensic Advanced Host Based Network Forensic Analysis course will give participants unbiased knowledge and skills necessary to analyze artifacts left behind as the result of network intrusion activities, utilizing standard tools and open-source applications to explore the data in greater depth by learning how applications function and store data on the systems during network intrusion.


Course Description

Attendees will learn to use various applications and utilities to successfully identify, process, understand, and document numerous forensic artifacts that are vitally important to network intrusion forensic investigations. The participants will also gain knowledge on the steps and processes that a hacker utilizes to compromise a network, learn how to capture, and analyze the network traffic, triage live systems and analyze memory captures to locate potential malware and threats artifacts, locate and analyze windows artifacts to reveal additional information relevant for the network intrusion investigation.

InquireRegister for an upcoming class

Introduction to Networking Concepts

  • Overview of networking concepts
  • Overview of networking equipment and their functionalities
  • Overview of VPNs and Proxy Servers
  • Overview of Network Diagrams
  • Network log files
  • Network security essentials and importance
  • Overview of different types of firewalls
  • Overview of Enterprise level network topology and tasks
  • Data available within enterprise network environments

Overview of Network Intrusion Investigations

  • Planning an Investigation
  • Preparing for a Network Intrusion
  • Onsite Data Gathering
  • Handling Evidence

    Capturing and Analyzing Network Traffic

    • Capture and analyze packet data
    • Set up network taps
    • Use tcpdump and Wireshark
    • Analyze packet data
    • Identify evidence of data exfiltration
    • Identify and analyze C2 traffic in a network capture

    Memory Capture and Analysis

    • Memory Theory for forensics and IR
    • Memory capture as part of IR
    • Intro to triage involving memory capture
    • RAM triage using BE
    • Theory on IR/malware analysis
    • RAM analysis
    • Malware hunt and extraction

    Windows Evidence Analysis

    • Analyze Windows Event Logs
    • Build and analyze the Windows Timeline
    • Analyze Windows artifacts to locate malware persistence locations
    • Identify and analyze malicious Windows processes
    • Analyze the artifacts generated by the Windows Subsystem for Linux


    This hands-on course is geared towards forensic investigators with 6+ months experience in forensic case work with a basic understanding of Microsoft data structures.

    To gain the maximum benefit from this course, you should meet or exceed the following requirements:

    • Read and understand the English language
    • Have attended basic digital forensic training
    • Have previous investigative experience in forensic case work
    • Be familiar with the Microsoft Windows environment and data recovery concepts

    Request the Syllabus

    Contact Spyder Forensics for more details of the course.

    Hosting Courses

    If you are interested in hosting this, or any of our courses at your facility, contact us.

    Ready to get started?