Wireshark 2 LE – Next Generation Protocols and Advanced Network Analysis Using Wireshark (Law Enforcement)

Audience

This course is designed for Law Enforcement personnel that need to develop a set of packet investigation techniques through study of the Next Generation networking Protocols using Wireshark and other Open-Source Analysis tools. Successful completion of this course will provide these individuals with a path-way into the field of both Network and Forensics Analysis.

Recommended Prerequisites:

Completion of Wireshark 1 or equivalent networking and Wireshark experience

Description

Advanced Network Analysis and Network Forensics encompasses the skills of not only capturing data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate and analysis techniques focusing on the use of vendor-neutral, Open-Source Tools such as Wireshark to provide insight into the following areas:

Specialized and advanced packet capture techniques
Recognition, analysis and threat recognition for a many of the next generation user protocol issues including IPv4/v6/v10, DHCPv4/v6, SCTP, DNS/DNSSec/MDNS, ICMP (v4 /v6), Email Protocols (POP / SMTP / IMAP), File Transfer Protocols (FTP/TFTP/FIX/File Sharing) and common Internet based User Protocols (HTTP, VoIP, IRC, IM)
Specialized Analysis techniques including suspicious data traffic reconstruction and viewing

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical analysis skills. Attendees will receive a student guide including numerous reference files and networking and forensics tools, as well as a library of reference documents.

What You'll learn

I. Introduction to Advanced Network Analysis

Logistics
Network analysis challenges – Nomenclature, Terminology and the Next Generation Protocols

II. Collecting the Data – Data Capture

History of the OSI Reference Model
- Data Collection
  - Configuring Wireshark 2.0
    - New features to enhance capture – USBPcap / Androiddump
    - Using capture filters to capture specific suspect traffic
- Stealth / Silent Collection of Data – Tips & Techniques
- WiFi Device Analysis using AirPcap Control Panel
  - New Wireless Toolbar and WiFi features – WEP / WPA / WPA2 Decryption
  - Bluetooth capture features
- Location – How Network Infrastructure Devices Affect Network Analysis
  - Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU

III. Network Analysis Methodology

Analyzing the 3 Different Network Communication Architectures
- Client / Server
- Peer-to-Peer
- Terminal Host
Analyzing Conversations and Activities
- Analyzing Conversations and Activities Using the new Expert Systems to Determine Unusual Activity
  - Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to recognize and analyze suspicious user traffic
A Sample Law Enforcement Network Forensics Analysis Methodology
- 6 Steps for Law Enforcement based Network Analysis of suspicious traffic
  - Answering the key incident questions
  - A Sample Network Forensics Analysis Methodology
Diagraming Conversations – A Picture is worth 1024 Words
- Related Packet and Intelligent Scrollbar features

IV. Analysis of Network Applications and User Traffic

The Networking Protocols
What’s Normal vs. Abnormal – The Role of Baseline Files
Building a Baseline Library – Where Do I go to Find Samples?
Forensics Analysis of an Intrusion
Scouting out the Target – Network Reconnaissance and Scanning Tools
Recognizing Scanning Signatures – NMAP / Retina / Nessus, etc..
Before and after IPv6 – New Protocols and New Functions
- Configuration Protocols
  - Structure and Analysis of DHCPv4 / DHCPv6
Resolving Addresses – DNS / DNSSec / MDNS / LMNR
- Structure and Analysis of DNS / DNSSec / MDNS / LMNR
- Common DNS Exploits, Attacks and Examples of Intrusion Signatures
The Network Layer – IPv4 / IPv6
- Structure and Analysis of IPv4 IPv6
- IP Options – What’s the Big Deal?
- Common IP Exploits and Examples of Intrusion Signatures
Utility and Troubleshooting Protocols – Internet Control Message Protocol (ICMPv4 / ICMPv6)
- Structure and Analysis of ICMPv4 vs. ICMPv6
  Network Analysis Using the ICMP Analysis – Types and Codes iii. Common ICMP Exploits and Examples of Intrusion Signatures
The Transport Layer – Moving the Data – TCP / UDP / SCTP
- Structure and Advanced Analysis of TCP
- TCP Options – What’s the Big Deal?
- Advanced TCP Analysis Using Expert Systems
- Structure and Advanced Analysis of UDP
- Structure and Analysis of the new STCP
- Common Transport Layer Exploits and Examples of Intrusion Signatures
The Application Layer – Analyzing Common User Protocols
- Email Applications Using POP / SMTP / IMAP
  - Structure and Analysis of the Email Cloud
  - Assembling and evaluating Email traffic
- Web-Based Applications Using HTTP / HTTP2
  - Structure and Analysis of HTTP / HTTPS – Decrypting SSL
  - Response Codes – The answer to analyzing HTTP and the new HTTP2
  - Reassembling and Exporting of Objects
- Financial Interexchange Protocol (FIX)
  - Structure and Analysis of FIX
- Instant Messenger (IM) Applications
  - Structure and analysis of Messaging Protocols

V. Where do we go from Here?

Wireshark 0LE – TCP/IP Networking Fundamentals Using Wireshark
Wireshark 1 – TCP/IP Network Analysis
Wireshark 2LE – Advanced Network &Security Analysis
Wireshark 3LE – Network Forensics Analysis
Wireshark 4LE – Mobile Device Forensics Analysis
Wireshark 5 – Cloud & Internet of Things (IoT) Technology & Advanced Network Analysis
Wireshark 6 – VoIP Technology & Advanced Network Analysis
Wireshark 7 – WiFi Technology & Advanced Network Analysis
Wireshark 8 – SCADA & ICS Technology & Advanced Network Analysis

Format

5 days Classroom Instruction

Start/End Times

08:30-16:30

Recommended Class Size

5-12

Language

English