Crosspost: SANS Network Forensics (FOR558) in Arlington, VA

Now that the holidays are over, it’s time to re-focus on challenges ahead. That includes training to help you to successfully tackle those tasks ahead in the new year. It’s an ideal time to join Phil Hagen in Arlington, VA for FOR558: Network Forensics. This course has been in high demand, and now you’ll be able to attend in a small-class setting afforded by a community event. The course runs from Feb 6 to Feb 10, 2012, and registration is open now.

Network communications have continued to grow at a breakneck pace. This has resulted in the incorporation of network-based evidence in forensic investigations. Traditionally, these investigations were dominated by the analysis of data at rest, collected from magnetic and optical media. More recently, memory analysis has found a place in the forensic process. Now, we need to consider network-based data to establish a more complete picture of actions a subject has taken during a period of interest. In the case of a savvy attacker who diligently covered his or her tracks, network data may be the only evidence an incident even occurred.

“Deep packet analysis proved multiple tools and techniques for analyzing packets and recreating the events associated with the captures.” -Nicholas Brink, Nationwide

Network forensics often involves analysis at the packet level, and you’ll spend a lot of time with Wireshark and other low-level tools. You’ll also learn how log data from network infrastructure devices can help close the analytical gaps left after performing media forensics on a system.

“Exactly the training I need to understand what’s happening on the wire.” -Mike Ryan, UBC

This community SANS event will teach you the skills and tools needed to incorporate network forensics into your existing procedures. You’ll cover the same 5-day curriculum offered at larger conferences, while conserving your organization’s travel budget. Class sizes are also smaller, providing a course experience more tailored to students’ needs. Although the course won’t solely consist of government employees, Phil’s background with both the government and commercial sectors will ensure everyone will receive actionable training for their case load.

“I would give this course four and a half (4.5) out of five (5) stars and highly recommend it to any#DFIRpractitioner.” “The lab exercises and course material give the student practical application immediately, plus you get the SNIFT VM, supplement exercises, VMs, and puzzles.” -Brad, Digital Forensic Source Blog

Register to join us in Arlington this February – you won’t want to miss it!


Instructor Biography

Phil Hagen started his security career over 15 years ago while attending the US Air Force Academy, with research covering both the academic and practical sides of security. He served in the Air Force as a Communications Officer, and was assigned to a base-level “Year 2000” project management office. The plans he helped create were later used during California’s rolling power blackouts. At the Pentagon, he later managed a support team serving 200 analysts.

In 2003, Phil shifted to a government contractor, providing technical services for exotic IT security projects. These included systems that demanded 24x7x365 functionality. He supported the design, deployment, and support of a specialized network for 100 security engineers in ten offices. He later managed a team of 85 computer forensic professionals, holding P&L responsibilities for the business line.

Recently, Phil formed Lewes Technology Consulting, LLC. He applies his IT and security experience to small and medium businesses as they track toward their business goals, and performs forensic casework and infosec training.


Crossposted from SANS Computer Forensics Blog

Leave a comment

Your email address will not be published. Required fields are marked *