DAY 1:
OSI & TCP/IP Models
- Basic Header Structures
- Analyze packets by hand
- IP & TCP Options
- OS Detection techniques Session Parameters, Flags
Number Theory
- Accelerated Number Conversion
- Boolean Logic
- Boolean Functions
- Basic Obfuscation Techniques
Wireshark Tutorial
- PCAP Meta-data File Headers, Frame Headers
- Wireshark Meta-data
- Name Resolutions, Analytic Tags, Conversations, Relative Numbering Coloring Rules
- User Preferences
- Custom Displays
- Conversions
- Dissector Basics
- Display Filters
- Custom Filters
- Statistics
Day In The Life (TCP/IP)
- Inter-Process Communications
- 3-Way Handshake
- TCP Options in use
- Session Management
- Flow Control
- Windowing
- Congestion Control
- Packet Loss
- Retransmission
- Quality of Service
- Switching and Routing
- Common TCP/IP
DAY 2
Analytic Process
- Logic Fundamentals
- Establishing and Examining Premises Correlation, Causation, Coincidence Fallacies and Pitfalls
- Apply logic to traffic analysis
- Identify Analytic Vectors
- Validate Filters and Coloring Rules
- Prioritize Analytic Efforts
Internet Research
- Brief History of the Internet
- Impact on current and future protocols
- Current Organizations
- Internet Society, ICANN/IANA
- Research Tools
- Whois, Dig, Nslookup, Traceroute, BGP/AS Analysis, Looking Glass
Traffic Analysis
- Scope Problems/Events
- Statistical Analysis, Baseline
- Isolating Events, TCP Analysis
- Event Analysis
- Identify Non-Standard Communications
- Recreate objects (e.g. files, videos)
- Display Filters
- Customize and Save Filters
Attribution
- Route Path Selection
- Interior Routing (EIGRP, OSPF) Exterior Routing (BGP) Autonomous Systems Tiered Networking, Peering Load Balancing, MPLS and Traffic Engineering
- Traceroute Analysis
- Latency Analysis
- Naming Conventions
- Route Identification
DAY 3
Research Techniques
- RFC and other supporting documentation
- Syntax, Semantics, and Timing Key Personnel
- Academic Materials
- White Papers and Keynote Slides
- Client/Server Relationships
- Codes
- Flags
- Dissector Support
Start-to-Finish Protocol Analysis (Demo Email)
- Research Documentation
- RFC 822, MIME, SMTP, POP3, IMAP
- Work with Encoding
- Network Reconstruction
Regular Expressions
- Pattern Matching
- IP Addresses
- Email Address
- Client/Server Transactions
Analysis Beyond Wireshark
- Custom Filters
- Filter with Regular Expressions
- Research Non-Dissected Protocols
- Analyze Non-Dissected Protocols
Secure Protocols
- Security Fundamentals
- Confidentiality, Integrity, and Availability
- Encryption
- Work in an Encrypted Environment
- Verify Digital Certificates Identify
- Directionality of Traffic Identify Location of Nodes
DAY 4:
Referrers, User-Agents, & Cookies
- Identify System Architectures
- Identify Operating Systems
- Identify Applications
- Identify User Preferences
- Follow User Activities
- Identify 3rd-Party Tracking Activities
Big Capture
A group analysis exercise. Students will work in small groups to identify traffic and reconstruct the topology of an unknown environment. The teams will have to decipher obfuscated transactions and map observed activities back to the respective user.
More Tools and Tricks
- Capsa7, NetWitness Investigator,
- Network Miner
DAY 5:
Student Practical Demonstration:
Using the tools, skills, and methodologies taught in Days 1 – 4 of the class, students will participate in a competitive capture-the-flag exercise.
Designed to challenge the participants, each correctly completed milestone will unlock a successively more difficult challenge.
