Latest Blog Post

read more

Upcoming Events

September 16, 2015 - LMG will teach "Digital First Responder Training" at our World Headquarters in Missoula, MT. Sign up now!

September 22, 2015 - LMG will teach "Digital First Responder Training" in Billings, MT. Sign up now!


Congratulations to all the teams that participated in the Network Forensics Puzzle Contest at DEF CON 23! View contest results, hints, and passwords here.

We're pleased to announced that Network Forensics Puzzle DVDs from 2011, 2012, and 2014 are all available on BytePuzzles!

LinkedIn Reddit Delicious Technorati Twitter Digg Stumbleupon

Join our Email Newsletter

Send your cybersecurity questions to for the chance to have them answered in our newsletter!

Class and Book

Want "Network Forensics" (the class) taught privately at your facilities? Request an Onsite

Order Network Forensics: Tracking Hackers Through Cyberspace!

Need Expert Consulting?

Request a Quote

Email Us an RFP

Network Forensics: Tracking Hackers Through Cyberspace

Cover illustration by Jonah Elgart

4-Day Class

Request a Private Onsite


Enterprises all over the globe are compromised remotely by hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of other valuable data are surreptitiously transferred across the network. Insider attacks leverage cutting-edge covert tunneling techniques to export data from highly secured environments. Attackers' footprints remain throughout the network, in firewall logs, IDS/IPS, web proxies, traffic captures, and more.

From the authors of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012) comes the four-day Network Forensics course. Taught by the authors themselves, this fast-paced class includes packet analysis, statistical flow record analysis, wireless forensics, intrusion detection and analysis, network tunneling, malware network behavior-all packed into a dense 4 days, with hands-on technical labs throughout the class.

Reconstruct a suspect's web surfing history – and cached web pages, too – from a web proxy. Carve out suspicious email attachments from packet captures. Analyze a real-world wireless encryption cracking attack (and then crack the key yourself) from captured traffic. Dissect DNS-tunneled traffic and learn to carve TCP segments with just your eyeballs and a hex editor. Use flow record analysis tools to pick out brute-force attacks and hone in on compromised systems, as the attacker pivots through the enterprise. Pick apart the Operation Aurora exploit, caught by a network sniffer.

Forensic investigators must be savvy enough to find network-based evidence, preserve it and extract the evidence. Network Forensics will give you hands-on experience analyzing covert channels, carving cached web pages out of proxies, identifying attackers and victims using flow records, carving malware from packet captures, and correlating the evidence to build a solid case.

Network Forensics will teach you to how to follow the attacker's footprints and analyze evidence from the network environment. Every student will receive a fully-loaded, portable forensics workstation, designed by forensics experts and distributed exclusively to Network Forensics students.

This class is for technical students who are already familiar with the basics of TCP/IP networking, Linux and networking tools such as Wireshark and tcpdump. Bring your own caffeine and be ready.

CPE Credit

This class may potentially fill CPE requirements for CISSP certification.

Students Receive

  • "Network Forensics" textbook (Prentice Hall, 2012)
  • Lab Workbook (7 hands-on labs with in-depth solutions)
  • DVDs or USBs containing lab evidence
  • Virtual (VMware) forensic analysis workstations custom designed for lab use

Topics Covered in this Course

  • Packet Analysis
  • Wireless Traffic Analysis
  • Network Tunneling
  • Flow Record Analysis
  • Network Intrusion Detection/Prevention Systems
  • Web Proxies
  • Malware

Standard Format

Four (4) days, six (6) hours of instruction per day (including breaks for lunch and coffee).


Each module of this course consists of instructor lecture, followed by instructor-led hands-on labs that are designed to explore the tools and techniques discussed. Additional reading materials are supplied by the accompanying Prentice Hall text (by the authors of the class). Students will be provided with a virtual machine to use as a network forensic workstation.

Who Should Take This Class:

  • Information security professionals with some background in hacker exploits, penetration testing, and incident response
  • Incident Response team members who are responding to complex security incidents/intrusions and need to utilize network forensics to help solve their cases Law enforcement officers, federal agents, or detectives who want to master network forensics and expand their investigative skill set to include packet captures, IDS/IPS analysis, web proxies, covert channels, and a variety of network-based evidence.
  • Network and computer forensic professionals who want to solidify and expand their understanding of network forensic and incident response related topics
  • Networking professionals who would like to branch out into forensics in order to understand information security implications and work on investigations
  • Anyone with a firm technical background who might be asked to investigate a data breach incident or intrusion case
  • Individuals who are considered technically savvy