Full title in original language:
Forensic Analysis Network Incident Response Toolset
Education level:
University University (18+ years)Topic / subtopic:
Cybercrime Cybercrime investigationTarget audience:
Students,
Teachers / Lecturers
Type of resource:
Teaching Tool / Course
Languages:
English
Region of relevance:
Global
Access:
open access
Corporate authors:
European Union Agency for Network and Information Security
Publication year:
2016
Published by:
European Union Agency for Network and Information Security
Copyright holder:
© European Union Agency for Network and Information Security
Contact name and address:
European Union Agency for Network and Information Security
Contact email:
cert-relations@enisa.europa.eu
Key themes:
cybercrime, cybercrime investigation, forensics, forensic, crime, investigation, network, incident response, tool, toolset
Links:
Short description:
The main goal of this training is to teach trainees network forensic techniques and extend trainees operating system forensic capabilities beyond Microsoft Windows systems to include Linux.
Trainees will follow traces in the workstation and discover that analysed network captures together with logs, lead to another machine on the network.
In the first part, trainees are presented with a selection of data gathered by network devices and systems. These include NetFlow1, PCAP2, firewall, DNS3 logs and DHCP (Dynamic Host Configuration Protocol) leases. All data sets may contain information about the malicious activity, although to make the case more realistic, no single source contains all relevant information but includes extraneous information as well. Therefore, careful searching for information identified as Indicators of Compromise in the first training is needed.
At the end of the training, the trainees should compile a report describing the course of events that led to the incidents (a timeline) and compile a set of recommendations that management and system administration should take.