Incident Response and Network Forensics Training

ENO Security offers this hands-on Incident Response and Network Forensics Training course that covers the essential information you need to know in order to properly detect, contain and mitigate security incidents.

Security incidents are a way of life in the modern world, and how organizations respond to them makes a massive difference in how much damage is ultimately done. In this 5 day Incident Response and Network Forensics Training course, you learn the ins and outs of incident response, as well as the tools of the trade used by incident responders on a daily basis.

This Incident Response and Network Forensics Training course from Enosecurity helps you fully understand how systems are compromised and what traces are left behind by attackers on the network, on disk, and in volatile memory. The Incident Response and Network Forensics training course addresses cutting edge attack vectors as well as tried and true methods for compromise. You leave the 5 day course with the knowledge of how to prevent incidents and the skills to defend against a security incident if it does happen.

Incident Response and Network Forensics TrainingDuration: 5 days

  • We can adapt this Incident Response and Network Forensics Training course to your group’s background and work requirements at little to no added cost.
  • If you are familiar with some aspects of this Incident Response and Network Forensics Training course, we can omit or shorten their discussion.
  • We can adjust the emphasis placed on the various topics or build the Incident Response and Network Forensics Training Course around the mix of technologies of interest to you (including technologies other than those included in this outline).
  • If your background is nontechnical, we can exclude the more technical topics, include the topics that may be of special interest to you (e.g., as a manager or policy-maker), and present the Incident Response and Network Forensics Training course in manner understandable to lay audiences.

The target audience for this Incident Response and Network Forensics course:

  • Incident responders needing to quickly address system security breaches
  • Threat operations analysts seeking a better understanding of network based malware and attacks
  • Forensic investigators who need to identify malicious network attacks
  • Those individuals who want to learn what malicious network activity looks like and how to identify it

The knowledge and skills that a learner must have before attending this Incident Response and Network Forensics course are:

  • One or more years of experience in incident handling or equivalent information security experience is recommended.
Incident Response and Network Forensics Training - OBJECTIVES

Upon completing this Incident Response and Network Forensics course, learners will be able to meet these objectives:

  • The Incident Response Process
  • Event/Incident Detection
  • Sources of Network Evidence
  • TCP Reconstruction
  • Flow Analysis
  • Log Analysis
  • Firewall log Investigation
  • Log Aggregation
  • Network Artifact Discovery
  • DNS Forensics and Artifacts
  • NTP Forensics and Artifacts
  • HTTP Forensics and Artifacts
  • HTTPS and SSL Analysis
  • FTP and SSH Forensics
  • Email Protocol Artifacts
  • Wireless Network Forensics
Incident Response and Network Forensics Training - COURSE SYLLABUS
Day 1


  • Incident response planning fundamentals
  • Building an incident response kit
  • Incident response team components
  • IR toolkits and appropriate implementation
  • Threat Intelligence
  • Cyber Kill Chain
  • Agent-based IR


  • Indications of an incident
  • Triage
  • Critical first steps
  • Understanding chain of custody


  • Documentation
  • Written documentation and supporting media evidence
  • Identification methods
  • Isolation technical procedure best practices
  • Containment
  • Quarantine considerations for business continuity


  • Eradication testing and the QA role
  • Incremental backup compromise detection
  • Operating system rebuilds


  • Stakeholder identification in recovery process
  • Post incident heightened monitoring tasks
  • Special actions for specific incident types
  • Incident record keeping
  • Lessons learned

Constructing your live incident response toolkit

  • Trusted command shells – Windows/Linux
  • Remote shells
  • PsExec vs PowerShell
Day 2
Event/incident detection
  • Develop an incident response strategy and plan
  • Limit incident effect and repair incident damage
  • Perform real-time incident response tasks
  • Determine the risk of continuing operations
  • Spearphishing and APT attacks

Sources of network evidence

  • 3 evidence collection modalities
  • Persistence checks
  • Sensors
  • Evidence acquisition
  • Forensically sound collection of images

TCP reconstruction

  • TCP session reconstruction
  • Payload reconstruction
  • Encapsulation methods
  • tcpdump/Wireshark
  • Working with pcap files
  • Wireshark filtering
  • Identify missing data
  • Identify sources of information and artifacts
  • Packet analysis

Flow analysis

  • nfcapd and nfdump
  • nfsen
  • SiLK
  • Flow record export protocols
  • Network file carving
  • Encrypted flow analysis
  • Anomalous behavior analysis
  • Flow data points


  • Snort
  • Snort rule configuration
  • Collect incident data and intrusion artifacts

Log analysis

  • Syslog server
  • Syslog protocol format
  • Event investigation
  • Microsoft event log
  • Event viewer
  • Modeling analysis formats
  • HTTP server logs
  • Apache vs IIS
  • Header analysis and attack reconstruction

Firewall log investigation

  • Log formats
  • iptables and packet flow

Log aggregation

  • SIEM tools
  • Splunk architecture
Day 3
Triage & analysis
  • Categorizing events
  • Developing standard category definitions
  • Perform correlation analysis on event reports
  • Event affinity
  • Prioritize events
  • Determining scope, urgency, and potential impact
  • Assign events for further analysis, response, or disposition/closure.
  • Determine cause and symptoms of the incident

Network artifact discovery

  • Network forensics with Xplico

DNS forensics and artifacts

  • DNS tunneling
  • Fast flux forensics

NTP forensics and artifacts

  • Understanding NTP architecture
  • NTP analysis
  • NTP usage in timeline analysis and log monitoring
  • Protocol inspection

HTTP forensics and artifacts

  • Artifact discovery
  • Request/response architecture
  • HTTP field analysis
  • HTTP web services
  • AJAX
  • Web services

HTTPS and SSL analysis

  • Artifact from secure negotiation process
  • Other non HTTPS SSL analysis

FTP and SSH forensics

  • Capture and inspection
  • SFTP considerations

Email protocol artifacts

  • SMTP vs POP vs IMAP artifacts
  • Adaptations and extensions
  • Microsoft Protocols
  • Architecture and capture
  • Exchange considerations
  • SMB considerations
  • Cloud email forensics

Wireless network forensics

  • Wireless monitoring and capture methodologies
  • Understanding Wi-Fi common attacks
  • WEP vs WPA vs WPA2
  • Wi-Fi security compromise analysis

Perform vulnerability analysis

  • Determine the risk, threat level or business impact of a confirmed incident.
Day 4
Timeline analysis
  • Timeline reconstruction
  • Benefits of structured timeline analysis
  • Required pre-knowledge
  • Pivot point analysis
  • Contexting with incomplete data
  • Enter information into an operations log or record of daily operational activity.
  • Filesystem considerations
  • Time rules
  • Using Sleuthkit and fls
  • Program execution file knowledge
  • File opening and file deletion
  • log2timeline
  • log2timeline input and output modules
  • Using l2t_process for filtering

Volatile data sources and collection

  • System memory acquisitions from Windows systems
  • 64 bit Windows memory considerations
  • Page File analysis
  • Hibernation file analysis
  • Identify rogue processes
  • DLL analysis
  • Handle discovery and analysis
  • Code injection artifacts
  • Rootkit indicators
  • Correlation with network artifacts
  • Volatility walk-through
  • Redline analysis
  • Volatility basics
  • Volatility case study
  • Advanced malware hunting with Volatility
  • Examine Windows registry in memory
  • Investigate windows services
  • Cached files in RAM
  • Credential recovery in RAM
Day 5
Incident response
  • Defensive review and recommendations
  • Improving defenses
  • Secure credential changing process and monitoring
  • Increased monitoring period – when and how long
  • Validate the system
  • Identify relevant stakeholders that need to be contacted
  • Communications about an organizational incident
  • Appropriate communications protocols and channels
  • Coordinate, integrate and lead team responses with other internal groups
  • Provide notification service to other constituents
  • Enable constituents to protect their assets and/or detect similar incidents.
  • Report and coordinate incidents with appropriate external organizations
  • Liaison with law enforcement personnel
  • Track and document incidents from initial detection through final resolution.
  • Assign and label data according to the appropriate class or category of sensitivity
  • Collect and retain information on all events/incidents in support of future analytical efforts and situational awareness
  • Perform risk assessments on incident management systems and networks
  • Run vulnerability scanning tools on incident management systems and networks
Incident Response and Network Forensics Training Course Wrap-Up

Whether you are looking for general information or have a specific question, we want to help.
Request More Information

    Time frame: