Dec 26, 2024  
2021-2022 Course Catalog 
    
2021-2022 Course Catalog [ARCHIVED CATALOG]

Add to Portfolio (opens a new window)

CVF 2203 - Network Forensics, Analysis and Incident Handling

Credits: 3
Hours/Week: Lecture 2 Lab 2
Course Description: Network forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify the attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological components of the topic with emphasis on the network traffic analysis aspect. The technical aspect addresses analysis of intruder types and the intrusion process, review of network traffic logs and profiles and their types, identification of attack signatures and fingerprints, application of data mining techniques, study of various traceback methods, and the extraction of information acquired through the use of network analysis tools and techniques.
MnTC Goals
None

Prerequisite(s): CVF 1085  with a grade of C or higher OR instructor consent. 
Corequisite(s): None
Recommendation: None

Major Content
1 . Part I. Foundation a. Practical Investigative Strategies

1.1 Real-World Cases

1.2 Footprints

1.3 Concepts in Digital Evidence

1.4 Challenges Relating to Network Evidence

1.5 Network Forensics Investigative Methodology (OSCAR)

1.6 Conclusion 

2. Statistical Flow Analsis

5.1 Process Overview

5.2 Sensors

5.3 Flow Record Export Protocols

5.4 Collection and Aggregation

5.5 Analysis

5.6 Conclusion

5.7 Case Study: The Curious Mr. X

3. Wireless: Network Forensics Unplugged

6.1 The IEEE Layer 2 Protocol Series

6.2 Wireless Access Points (WAPs)

6.3 Wireless Traffic Capture and Analysis

6.4 Common Attacks

6.5 Locating Wireless Devices

6.6 Conclusion

6.7 Case Study: HackMe, Inc.

4. Network Intrusion Detection and Analysis

7.1 Why Investigate NIDS/NIPS?

7.2 Typical NIDS/NIPS Functionality

7.3 Modes of Detection

7.4 Types of NIDS/NIPSs

7.5 NIDS/NIPS Evidence Acquisition

7.6 Comprehensive Packet Logging

7.7 Snort

7.8 Conclusion

7.9 Case Study: Inter0ptic Saves the Planet (Part 1 of 2)

5. Network Devices and Servers

8. Event Log Aggregation, Correlation, and Analysis

8.1 Sources of Logs

8.2 Network Log Architecture

8.3 Collecting and Analyzing Evidence

8.4 Conclusion

8.5 Case Study: L0ne Sh4rk’s Revenge

6. Switches, Routers, and Firewalls

9.1 Storage Media

9.2 Switches

9.3 Routers

9.4 Firewalls

9.5 Interfaces

9.6 Logging

9.7 Conclusion

9.8 Case Study: Ann’s Coffee Ring

7. Web Proxies

10.1 Why Investigate Web Proxies?

10.2 Web Proxy Functionality

10.3 Evidence

10.4 Squid

10.5 Web Proxy Analysis

10.6 Encrypted Web Traffic

10.7 Conclusion

10.8 Case Study: Inter0ptic Saves the Planet (Part 2 of 2)

8. Network Tunneling

11.1 Tunneling for Functionality

11.2 Tunneling for Confidentiality 1

1.3 Covert Tunneling

11.4 Conclusion

11.5 Case Study: Ann Tunnels Underground

9. Malware Forensics

12.1 Trends in Malware Evolution

12.2 Network Behavior of Malware

12.3 The Future of Malware and Network Forensics

12.4 Case Study: Ann’s Aurora

10. Technical Fundamentals

2.1 Sources of Network-Based Evidence

2.2 Principles of Internetworking

2.3 Internet Protocol Suite

2.4 Conclusion

11. Evidence Acquisition

3.1 Physical Interception

3.2 Traffic Acquisition Software

3.3 Active Acquisition

3.4 Conclusion

12. Traffic Analysis

4.1 Protocol Analysis

4.2 Packet Analysis

4.3 Flow Analysis

4.4 Higher-Layer Traffic Analysis

4.5 Conclusion

4.6 Case Study: Ann’s Rendezvous
Learning Outcomes
At the end of this course students will be able to:

1 . deploy a structured lifecycle approach to data analytics problems.

2 . distinguish between PCAP and NetFlow data.

3 . explain the basics of packet capture and traffic analysis.

4 . demonstrate at least two ways to visualize network data.

5 . explain at least one approach to network data anonymization.

6 . explain coarse vs. fine data representation.

7 . explain what a traffic matrix is.

8 . demonstrate how to extract some embedded as well as some hidden network data.

9 . distinguish between at least two types of malicious traffic from network data and categorize them.

10. configure a connection between host-based events and network-based events.

11. apply appropriate analytic techniques and tools to analyze big data.

12. use open source tools such as R, Hadoop, and Postgres.
Competency 1 (1-6)
None
Competency 2 (7-10)
None


Courses and Registration



Add to Portfolio (opens a new window)