SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
FOR572Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Phil Hagen
Course created by:Phil Hagen
- GIAC Network Forensic Analyst (GNFA)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Deepen your advanced network forensics experience, including threat hunting, analysis, and incident response. Explore the tools, technology, and processes needed to integrate network evidence sources.
Featured Quote
From a perspective of a strategic CTI analyst, I appreciated that the course allowed me to see, understand, and at time even personally conduct processes that I had previously only known in theory. The well-constructed exercises allowed me to engage with programs, files, and processes that I would otherwise never lay my hands on - even though I read about them every day. Through this, the course has given me a new depth of understanding of threat actors' behaviors and IR processes, and therefore largely improved my analytical skillset.
Course Overview
Today’s investigative teams actively hunt threats, using known evidence and fresh intelligence to uncover incidents others have missed. FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response covers the most critical skills needed for an increased focus on network communications and artifacts in investigative work. In this network forensics course, you’ll gain working knowledge of investigative tools, techniques, and procedures required to integrate network evidence sources into your investigations, with a focus on efficiency and effectiveness. You’ll leave this course with a well-stocked toolbox and the knowledge to use it on your first day back on the job.
What You’ll Learn
- Recover files from network traffic for malware analysis and data loss review
- Use NetFlow data to trace past network activity and scope incidents
- Reverse engineer protocols, decrypt traffic, and analyze common data formats
- Spot chances to collect more evidence using current network infrastructure
- Understand how attackers use techniques like man-in-the-middle attacks
- Use scripting to quickly process large sets of evidence
- Apply skills in a full-day simulation of a nation-state intrusion
Business Takeaways
- Add network insights to complete your team’s investigations
- Build baselines to spot threats early in an attack
- Get more value from existing network data
- Ensure key network clues are used in threat hunting and incident response
Meet Your Author
Phil Hagen
FellowPhil Hagen shaped network forensics with SOF-ELK® and SANS FOR572, setting standards in large-scale log analysis and response. His role in exposing a global fraud ring behind hundreds of millions in losses defines his lasting impact on cybersecurity.
Read more about Phil HagenCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response.
Section 1Off the Disk and Onto the Wire
Section one introduces unique aspects of network forensics and how traditional digital forensic skills apply to network evidence. It covers data acquisition methods like packet capture and proxy logs, along with tools such as tcpdump and Wireshark. Students will analyze proxy data, extract exfiltrated content, and explore key network devices and protocols.
Topics covered
- Evaluating Web Proxy Data
- Network Evidence Acquisition
- Network Challenges and Opportunities
- Hypertext Transfer Protocol (HTTP) Part 1: Protocol
Labs
- tcpdump and Wireshark Hands-On
- Proxy Log and Cache Analysis
- Carve Exfiltrated Data
Section 2Core Protocols & Log Aggregation/Analysis
This section covers how to identify malicious activity by analyzing common network protocols and their anomalies. It highlights the value of log data over full-packet capture and introduces tools like SOF-ELK® for scalable log aggregation and analysis. Students will profile protocols like HTTP and DNS and practice efficient log analysis techniques.
Topics covered
- Hypertext Transfer Protocol (HTTP) Part 2: Logs
- Domain Name Service (DNS): Protocol and Logs
- Forensic Network Security Monitoring (NSM)
- Logging Protocols and Aggregation
- Elastic Stack and the SOF-ELK® Platform
Labs
- HTTP Profiling
- DNS Profiling, Anomalies, and Scoping
- SOF-ELK® Log Aggregation and Analysis
Section 3NetFlow and File Access Protocols
This section explores NetFlow as a key tool for tracking attacker behavior and identifying network anomalies with minimal storage overhead. Students will analyze NetFlow data, reconstruct file transfers like FTP, and investigate Windows protocols such as SMB used in lateral movement and data theft.
Topics covered
- NetFlow Collection and Analysis
- Open-Source Flow Tools
- File Transfer Protocol
- Microsoft Protocols
Labs
- Visual NetFlow Analysis with SOF-ELK®
- Tracking Lateral Movement with NetFlow
- nfcapd Data Consolidation and Reduction
- SMB Session Analysis & Reconstruction
Section 4Commercial Tools, Wireless, and Full-Packet Hunting
Section four covers the role of commercial tools in network forensics, emphasizing their scalability and integration into investigative workflows. We explore wireless network forensics, highlighting unique artifacts and attack vectors. Students will use NetworkMiner and Arkime for large-scale packet analysis and object extraction from full-packet captures.
Topics covered
- Simple Mail Transfer Protocol
- Object Extraction with NetworkMiner
- Wireless Network Forensics
- Automated Tools and Libraries
- Full-Packet Hunting with Arkime
Labs
- Automated Extraction with NetworkMiner
- Scaling With pcap_iterator.sh
- Using Command-Line Tools for Analysis
- Network Forensic Analysis Using Arkime
Section 5Encryption, Protocol Reversing, OPSEC, and Intel
This section teaches how to analyze encrypted and undocumented network traffic to uncover hidden attacker activity. It covers SSL/TLS profiling, protocol misuse, and maintaining operational security to avoid alerting adversaries. Students also learn best practices for safely sharing threat intelligence.
Topics covered
- Encoding, Encryption, and SSL/TLS
- Meddler-in-the-Middle
- Network Protocol Reverse Engineering
- Investigation OPSEC and Threat Intel
- Capstone Challenge Kickoff
Labs
- TLS Profiling
- Decrypting Forward Secrecy and Exploring HTTP/2
- Undocumented Protocol Features
- Mini-Comprehensive Investigation
- Capstone Evidence Preparation
Section 6Network Forensics Capstone Challenge
In this capstone section, students work in groups to analyze network evidence from a real-world attack, identify the attacker’s actions, and present findings. The focus is on using only network data to build and communicate a clear forensic narrative with both executive and technical summaries.
Topics covered
- Network Forensic Case
Labs
- Capstone Lab
Things You Need To Know
Relevant Job Roles
Threat Hunter
Digital Forensics and Incident ResponseThis expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathCyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathDigital Forensics Analyst
Digital Forensics and Incident ResponseThis expert applies digital forensic skills to a plethora of media that encompass an investigation. The practice of being a digital forensic examiner requires several skill sets, including evidence collection, computer, smartphone, cloud, and network forensics, and an investigative mindset. These experts analyze compromised systems or digital media involved in an investigation that can be used to determine what really happened. Digital media contain footprints that physical forensic data and the crime scene may not include.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathIntrusion Detection/SOC Analysts
Digital Forensics and Incident ResponseAnalyze network and endpoint data to swiftly detect threats, conduct forensic investigations, and proactively hunt adversaries across diverse platforms including cloud, mobile, and enterprise systems.
Explore learning pathIncident Response Team Member
Digital Forensics and Incident ResponseThis dynamic and fast-paced role involves identifying, mitigating, and eradicating attackers while their operations are still unfolding.
Explore learning pathIntrusion Detection / (SOC) Analyst
Cyber DefenseSecurity Operations Center (SOC) analysts work alongside security engineers and SOC managers to implement prevention, detection, monitoring, and active response. Working closely with incident response teams, a SOC analyst will address security issues when detected, quickly and effectively. With an eye for detail and anomalies, these analysts see things most others miss.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Philip HagenDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Canberra, ACT, AU & Virtual (live)
Instructed by David BiancoDate & TimeFetching schedule..View event detailsCourse priceA$13,350 AUD*Prices exclude applicable local taxes - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Philip HagenDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Tokyo, JP & Virtual (live)
Instructed by David SziliDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Tallinn, EE
Instructed by Philip HagenDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Philip HagenDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Joshua LemonDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes - Location & instructor
London, GB & Virtual (live)
Instructed by Philip HagenDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout
Showing 8 of 14
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4First course I’ve taken that gives insight into the forensic mindset required for investigating incidents.
- Slide 2 of 4The example of the http proxy and how it works was a great use case as to the importance of this course.
- Slide 3 of 4The day 6 was a challenge and I had a ton of fun with playing with all the tools we had been provided.
- Slide 4 of 4I feel like the last week has been a massive eye-opener into what extra information I can now use in my forensic investigations.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources