Legitimized [GIAC Network Forensic Analyst (GNFA)] Expert – Led Video Course – MASTERYTRAIL

Lesson 1: Introduction to Network Forensics

1.1 Definition and scope of network forensics
1.2 Role of network forensics in cybersecurity
1.3 Difference between network and host forensics
1.4 Incident response integration
1.5 Legal and compliance considerations
1.6 Importance in threat hunting
1.7 Challenges in network evidence acquisition
1.8 Overview of GNFA certification domains
1.9 Case study: real-world forensic investigation
1.10 Lab setup requirements

Lesson 2: Fundamentals of TCP/IP Networking

2.1 OSI vs TCP/IP models
2.2 IP addressing concepts
2.3 TCP/UDP communication basics
2.4 Common ports and protocols
2.5 Network segmentation and routing
2.6 NAT and firewalls impact
2.7 ICMP and diagnostic tools
2.8 Understanding packet headers
2.9 Fragmentation and reassembly
2.10 Tools for packet dissection

Lesson 3: Packet Capture Fundamentals

3.1 Role of packet capture in forensics
3.2 Promiscuous mode vs normal mode
3.3 PCAP file formats
3.4 Libpcap vs WinPcap
3.5 Capture filters vs display filters
3.6 Time synchronization in captures
3.7 Storage best practices
3.8 Large-scale packet capture solutions
3.9 Chain of custody for PCAPs
3.10 Legal implications of packet capture

Lesson 4: Wireshark Essentials

4.1 Installing and configuring Wireshark
4.2 Navigating the Wireshark interface
4.3 Applying capture filters
4.4 Using display filters
4.5 Protocol hierarchy analysis
4.6 Following TCP/UDP streams
4.7 Exporting objects from captures
4.8 Packet colorization and marking
4.9 Troubleshooting with Wireshark
4.10 Advanced preferences and profiles

Lesson 5: TCP Deep Dive

5.1 TCP three-way handshake
5.2 TCP flags and their significance
5.3 Sequence and acknowledgment numbers
5.4 Window size and flow control
5.5 Retransmissions and duplicates
5.6 TCP resets and terminations
5.7 Common attack signatures in TCP traffic
5.8 Detecting anomalies in TCP flows
5.9 Reconstruction of TCP streams
5.10 Case analysis: TCP attack traffic

Lesson 6: UDP and Stateless Protocols

6.1 Characteristics of UDP communication
6.2 Differences between UDP and TCP forensic artifacts
6.3 Common UDP-based protocols
6.4 DNS over UDP
6.5 Streaming and VoIP traffic
6.6 Detecting UDP-based attacks
6.7 Limitations of UDP analysis
6.8 Identifying rogue services
6.9 Reconstruction of UDP payloads
6.10 Case study: DNS tunneling detection

Lesson 7: ICMP and Supporting Protocols

7.1 ICMP message types
7.2 Echo requests/replies in analysis
7.3 Destination unreachable analysis
7.4 ICMP tunneling attacks
7.5 Traceroute mechanics
7.6 Protocol misuse detection
7.7 ICMP floods and DoS analysis
7.8 Identifying hidden communication channels
7.9 Investigating ping sweeps
7.10 Practical lab on ICMP traffic

Lesson 8: Network Evidence Acquisition

8.1 Sources of forensic network data
8.2 SPAN ports and network taps
8.3 Full packet capture vs metadata
8.4 Legal implications of data collection
8.5 Deploying sensors strategically
8.6 Traffic sampling limitations
8.7 Volatile vs non-volatile data capture
8.8 Evidence preservation techniques
8.9 Integrating with SIEM/IDS systems
8.10 Case workflow for data acquisition

Lesson 9: NetFlow and Metadata Analysis

9.1 NetFlow vs full packet capture
9.2 Flow records and formats
9.3 Identifying anomalies in NetFlow
9.4 Detecting lateral movement
9.5 Correlation with IDS alerts
9.6 Using flow collectors (nfdump, SiLK)
9.7 Privacy considerations
9.8 Flow sampling accuracy
9.9 Case analysis using NetFlow data
9.10 Best practices for long-term flow storage

Lesson 10: Logs as Forensic Evidence

10.1 Importance of logs in network forensics
10.2 Syslog and log forwarding
10.3 Firewall and router logs
10.4 IDS/IPS logs interpretation
10.5 Web server logs
10.6 Email server logs
10.7 Authentication and VPN logs
10.8 Correlating logs with PCAPs
10.9 Detecting log tampering
10.10 Log retention policies

Lesson 11: Advanced Wireshark Analysis

11.1 Decrypting SSL/TLS traffic
11.2 Expert information analysis
11.3 Packet reassembly
11.4 Analyzing malformed packets
11.5 Exporting statistical data
11.6 Graphing flows
11.7 VoIP analysis in Wireshark
11.8 Using Wireshark plugins
11.9 Advanced filtering syntax
11.10 Case analysis with advanced Wireshark

Lesson 12: Intrusion Detection with Snort/Suricata

12.1 IDS fundamentals
12.2 Snort architecture
12.3 Suricata architecture
12.4 Writing and tuning signatures
12.5 PCAP replay into IDS
12.6 Detecting evasions
12.7 Log correlation with captures
12.8 IDS alert triage
12.9 Integration with SIEM
12.10 Case study using IDS

Lesson 13: Email and SMTP Forensics

13.1 Structure of email communication
13.2 SMTP headers analysis
13.3 Tracing email routing
13.4 Identifying spoofing attempts
13.5 Detecting phishing emails
13.6 Analyzing attachments in network traffic
13.7 Use of STARTTLS in SMTP
13.8 Case study of spear phishing campaign
13.9 Linking email traffic to exfiltration
13.10 Practical lab on SMTP PCAPs

Lesson 14: DNS Forensics

14.1 DNS basics and record types
14.2 DNS query and response analysis
14.3 Identifying domain hijacking
14.4 DNS amplification attacks
14.5 Detecting fast-flux domains
14.6 DNS tunneling indicators
14.7 Passive DNS collection
14.8 Domain reputation tools
14.9 Case study: malware C2 via DNS
14.10 Lab on DNS packet analysis

Lesson 15: HTTP and Web Traffic Forensics

15.1 Anatomy of HTTP requests/responses
15.2 Common HTTP headers
15.3 Analyzing cookies and sessions
15.4 Detecting SQL injection in traffic
15.5 Identifying malware downloads
15.6 Tracking user agents
15.7 HTTPS and TLS handshake analysis
15.8 Detecting beaconing via HTTP
15.9 Extracting files from HTTP streams
15.10 Case analysis: malicious HTTP traffic

Lesson 16: SSL/TLS Decryption and Analysis

16.1 TLS handshake breakdown
16.2 Identifying SSL versions and ciphers
16.3 Key exchange protocols
16.4 Certificate validation and inspection
16.5 Detecting SSL stripping attacks
16.6 Using private keys for decryption
16.7 JA3 fingerprinting for TLS clients
16.8 TLS session resumption artifacts
16.9 Case study: malware over HTTPS
16.10 Lab: decrypting TLS traffic

Lesson 17: Cloud Network Forensics

17.1 Challenges in cloud environments
17.2 AWS VPC Flow logs
17.3 Azure NSG flow logs
17.4 GCP network telemetry
17.5 Cloud-native packet capture
17.6 Hybrid-cloud visibility issues
17.7 Case analysis of cloud breaches
17.8 Chain of custody in cloud forensics
17.9 Legal/ownership challenges
17.10 Cloud forensic readiness planning

Lesson 18: Wireless Network Forensics

18.1 IEEE 802.11 basics
18.2 Capturing Wi-Fi traffic
18.3 WPA2/WPA3 handshakes
18.4 Decrypting wireless packets
18.5 Detecting rogue access points
18.6 Wi-Fi attack vectors (Evil Twin, Deauth)
18.7 Analyzing beacon frames
18.8 Geolocation via Wi-Fi metadata
18.9 Case analysis: wireless breach
18.10 Lab: Wi-Fi packet capture analysis

Lesson 19: VoIP and Multimedia Forensics

19.1 VoIP protocols overview (SIP, RTP)
19.2 SIP call setup analysis
19.3 RTP stream analysis
19.4 Extracting audio from captures
19.5 VoIP fraud detection
19.6 Video conferencing artifacts
19.7 VoIP DoS and eavesdropping
19.8 Case study: VoIP wiretap
19.9 Tools for VoIP analysis
19.10 Practical VoIP lab

Lesson 20: File Transfer and FTP Forensics

20.1 FTP protocol analysis
20.2 Anonymous vs authenticated sessions
20.3 File transfer patterns
20.4 Detecting FTP brute-force attempts
20.5 Extracting transferred files
20.6 SFTP/FTPS differences
20.7 File-sharing apps forensic artifacts
20.8 Peer-to-peer protocol detection
20.9 Case analysis of FTP exfiltration
20.10 Lab: reconstructing file transfers

Lesson 21: Malware and Network Indicators

21.1 Network behavior of malware
21.2 C2 communication patterns
21.3 Beaconing intervals
21.4 Encrypted vs cleartext payloads
21.5 Domain generation algorithms
21.6 IP blacklists and threat intel feeds
21.7 Identifying suspicious TLS fingerprints
21.8 Sandbox and detonation artifacts
21.9 Case study: ransomware traffic
21.10 Practical malware PCAP analysis

Lesson 22: Advanced Persistent Threat (APT) Traffic Analysis

22.1 Lifecycle of APT campaigns
22.2 Reconnaissance traffic indicators
22.3 Lateral movement in traffic
22.4 Persistence and backdoor connections
22.5 Exfiltration channels
22.6 Use of living-off-the-land techniques
22.7 Detection through anomaly baselines
22.8 Threat intelligence enrichment
22.9 Case study: APT attack reconstruction
22.10 Practical threat-hunting lab

Lesson 23: Exfiltration Detection

23.1 Common data exfiltration methods
23.2 Covert channels via DNS/HTTP
23.3 Cloud storage misuse
23.4 Steganography in network traffic
23.5 Identifying unusual traffic volumes
23.6 Detecting time-based exfiltration
23.7 SSL/TLS misuse for exfiltration
23.8 Analyzing endpoint-to-endpoint flows
23.9 Case study: insider exfiltration
23.10 Lab on detecting covert exfiltration

Lesson 24: Insider Threats in Network Forensics

24.1 Characteristics of insider threats
24.2 Network patterns of misuse
24.3 Access abuse indicators
24.4 File-sharing and uploads monitoring
24.5 VPN misuse detection
24.6 Endpoint correlation with traffic
24.7 Identifying anomalous logins
24.8 Data staging artifacts
24.9 Case study: disgruntled employee attack
24.10 Practical insider threat lab

Lesson 25: Attribution in Network Forensics

25.1 Challenges of attribution
25.2 IP address tracking limitations
25.3 Geolocation from traffic
25.4 Use of VPNs and proxies
25.5 Identifying attacker infrastructure
25.6 Linking malware families
25.7 Correlating campaigns
25.8 Use of OSINT in attribution
25.9 Case study: attribution pitfalls
25.10 Best practices for cautious attribution

Lesson 26: SCADA and Industrial Protocols

26.1 Introduction to SCADA/ICS networks
26.2 Modbus protocol analysis
26.3 DNP3 forensic artifacts
26.4 OPC traffic
26.5 Proprietary industrial protocols
26.6 Detecting ICS-specific attacks
26.7 Logging challenges in SCADA
26.8 Case analysis of ICS incident
26.9 Legal/operational considerations
26.10 Lab: Modbus traffic analysis

Lesson 27: Mobile Network Forensics

27.1 Mobile data traffic characteristics
27.2 GSM and LTE basics
27.3 Mobile application network flows
27.4 Mobile malware indicators
27.5 Carrier NAT implications
27.6 Encrypted messaging apps analysis
27.7 Geolocation via mobile traffic
27.8 Cloud backup misuse
27.9 Case study: mobile exfiltration
27.10 Practical mobile traffic lab

Lesson 28: Darknet and Anonymity Forensics

28.1 TOR network overview
28.2 Identifying TOR entry traffic
28.3 Hidden service analysis
28.4 Use of VPNs with TOR
28.5 I2P traffic indicators
28.6 Darknet markets forensic challenges
28.7 Case study: TOR-enabled attack
28.8 Timing correlation techniques
28.9 Tools for darknet monitoring
28.10 Lab: TOR traffic recognition

Lesson 29: Encrypted Traffic Analysis

29.1 Growth of encrypted traffic
29.2 SSL/TLS vs SSH vs VPN
29.3 Identifying encrypted protocols
29.4 Metadata analysis techniques
29.5 Fingerprinting encrypted flows
29.6 JA3 and JA3S signatures
29.7 Identifying anomalous session lengths
29.8 Encrypted malware C2
29.9 Case study: hidden exfiltration via TLS
29.10 Practical encrypted traffic analysis

Lesson 30: Incident Response Integration

30.1 Role of network forensics in IR
30.2 Incident lifecycle stages
30.3 Data triage from network captures
30.4 Prioritizing indicators
30.5 Forensic handoff to IR teams
30.6 Coordination with host forensics
30.7 Building incident timelines
30.8 Documentation and reporting
30.9 Case study: breach response workflow
30.10 Lab: network evidence in IR

Lesson 31: Threat Hunting with Network Data

31.1 Hunting vs detection
31.2 Hypothesis-driven hunting
31.3 Anomaly-based hunting
31.4 Hunting using NetFlow data
31.5 DNS hunting for C2
31.6 Beacon detection
31.7 Correlating multi-source data
31.8 Continuous improvement cycle
31.9 Case study: proactive hunting success
31.10 Practical hunting exercise

Lesson 32: Big Data and Network Forensics

32.1 Volume of modern network data
32.2 Distributed packet capture solutions
32.3 Hadoop/Spark in forensics
32.4 Use of Elasticsearch
32.5 Data reduction strategies
32.6 Metadata vs payload trade-offs
32.7 Visualization dashboards
32.8 Real-time vs retrospective analysis
32.9 Case study: scaling forensics
32.10 Practical big data tools lab

Lesson 33: Automation in Network Forensics

33.1 Role of scripting in forensics
33.2 Python for packet parsing
33.3 Automating Wireshark/TShark
33.4 Log parsing automation
33.5 Regular expressions in filtering
33.6 Automated correlation workflows
33.7 Use of APIs for automation
33.8 Integrating with SOAR platforms
33.9 Case study: automation efficiency
33.10 Lab: write a PCAP parser

Lesson 34: Legal and Ethical Issues

34.1 Privacy laws and monitoring
34.2 Wiretap implications
34.3 Data retention laws
34.4 Admissibility of network evidence
34.5 GDPR and compliance
34.6 Ethics in forensic practice
34.7 Handling PII responsibly
34.8 International jurisdiction issues
34.9 Case study: evidence suppression
34.10 Best practices for compliance

Lesson 35: Reporting and Documentation

35.1 Importance of clear reporting
35.2 Structuring forensic reports
35.3 Using visuals and graphs
35.4 Executive summaries
35.5 Technical appendices
35.6 Evidence cataloging
35.7 Peer review of reports
35.8 Avoiding bias in conclusions
35.9 Case study: report as legal evidence
35.10 Lab: draft a forensic report

Lesson 36: Forensic Readiness Planning

36.1 Defining forensic readiness
36.2 Pre-positioning sensors
36.3 Log management readiness
36.4 Packet capture strategy
36.5 Cloud readiness considerations
36.6 Incident playbooks
36.7 Legal readiness
36.8 Training requirements
36.9 Case study: readiness benefits
36.10 Lab: design a readiness plan

Lesson 37: Advanced Tools and Frameworks

37.1 Zeek/Bro introduction
37.2 Using Zeek logs in forensics
37.3 Moloch/Arkime for PCAP indexing
37.4 SiLK toolset
37.5 NetworkMiner features
37.6 Xplico for stream reconstruction
37.7 Open-source vs commercial tools
37.8 Integration across toolchains
37.9 Case study: Zeek-based detection
37.10 Lab: Zeek script development

Lesson 38: Malware Traffic Analysis Labs

38.1 Setting up a safe lab
38.2 Collecting malware samples
38.3 Running controlled infections
38.4 Capturing traffic safely
38.5 Identifying callbacks
38.6 Malware exfiltration artifacts
38.7 Comparing families of malware
38.8 Correlating sandbox and PCAP results
38.9 Case study: RAT traffic analysis
38.10 Lab: live malware PCAP analysis

Lesson 39: Forensic Case Studies

39.1 Targeted attack on financial sector
39.2 Insider data theft case
39.3 Nation-state breach investigation
39.4 Ransomware outbreak response
39.5 Cloud service compromise
39.6 Wireless eavesdropping case
39.7 Business email compromise
39.8 DDoS attribution
39.9 Cross-border evidence challenges
39.10 Lessons learned from case studies

Lesson 40: Career and Exam Preparation

40.1 Role of a GNFA professional
40.2 Career opportunities
40.3 Mapping skills to GNFA objectives
40.4 Study resources
40.5 Practice labs
40.6 Common exam pitfalls
40.7 Time management during exam
40.8 Test-taking strategies
40.9 Maintaining certification (CPEs)
40.10 Career roadmap after GNFA

Lesson 41: SSH Traffic Analysis

41.1 Structure of SSH sessions
41.2 Detecting brute-force attempts
41.3 Identifying anomalous SSH usage
41.4 Encrypted command channels
41.5 File transfer via SCP/SFTP
41.6 Detecting tunneling via SSH
41.7 Case study: SSH misuse
41.8 Traffic fingerprinting methods
41.9 Lab: analyze SSH traffic
41.10 Forensic challenges in SSH

Lesson 42: VPN and Tunneling Forensics

42.1 VPN technologies overview
42.2 IPSec analysis
42.3 SSL VPN traffic
42.4 VPN misuse for exfiltration
42.5 Identifying tunneled traffic
42.6 GRE and other tunnels
42.7 Traffic fingerprinting of VPN apps
42.8 Case study: VPN-enabled insider threat
42.9 Lab: VPN traffic analysis
42.10 Attribution challenges with VPN

Lesson 43: Advanced Attack Detection

43.1 Multi-stage attack analysis
43.2 Detecting port scans
43.3 Exploit kit traffic
43.4 C2 frameworks (Cobalt Strike, Metasploit)
43.5 Obfuscation and evasion techniques
43.6 Detecting supply chain attacks
43.7 Zero-day traffic indicators
43.8 Case study: multi-vector attack
43.9 Lab: detect port scan/exploit traffic
43.10 Best practices in advanced detection

Lesson 44: Data Carving from Network Traffic

44.1 Reassembling fragmented traffic
44.2 File carving from PCAPs
44.3 Extracting images and documents
44.4 Reconstructing executables
44.5 Identifying corrupted streams
44.6 Tools for carving (NetworkMiner, Xplico)
44.7 Case study: file recovery from traffic
44.8 Legal implications of carved files
44.9 Lab: carving exercises
44.10 Evidence cataloging post-carving

Lesson 45: Timeline Reconstruction

45.1 Building a timeline from PCAPs
45.2 Synchronizing with logs
45.3 Event correlation techniques
45.4 Highlighting attacker dwell time
45.5 Identifying initial compromise
45.6 Mapping lateral movement
45.7 Exfiltration event correlation
45.8 Timeline visualization tools
45.9 Case study: reconstructing full incident
45.10 Lab: timeline reconstruction exercise

Lesson 46: Network Forensics in SOC Operations

46.1 Role of network forensic analyst in SOC
46.2 Alert triage workflow
46.3 Escalation procedures
46.4 Forensic support to Tier 1/2 analysts
46.5 Real-time packet inspection
46.6 Using threat intelligence feeds
46.7 SOC-IR team collaboration
46.8 Case study: SOC-led forensic investigation
46.9 Lab: SOC workflow simulation
46.10 Performance metrics for forensic analysts

Lesson 47: Emerging Technologies and Challenges

47.1 5G network forensic implications
47.2 IoT device traffic analysis
47.3 Edge computing forensics
47.4 Quantum-safe encryption impact
47.5 AI-driven malware detection
47.6 Blockchain-based communication
47.7 Encrypted DNS (DoH/DoT) challenges
47.8 Case study: IoT botnet traffic
47.9 Emerging forensic tools
47.10 Future trends in network forensics

Lesson 48: Hands-on Capture the Flag (CTF) Exercises

48.1 Structure of forensic CTFs
48.2 Setting up a practice environment
48.3 Common CTF challenges
48.4 Packet dissection exercises
48.5 Protocol decoding challenges
48.6 Traffic anomaly hunts
48.7 Malware PCAP hunts
48.8 File reconstruction challenges
48.9 Final forensic CTF competition
48.10 Lessons learned from CTFs

Lesson 49: Review and Knowledge Consolidation

49.1 Review of TCP/IP fundamentals
49.2 Review of Wireshark/TShark techniques
49.3 Review of NetFlow and logs
49.4 Review of DNS/HTTP/SMTP analysis
49.5 Review of SSL/TLS techniques
49.6 Review of exfiltration methods
49.7 Review of malware/APT detection
49.8 Review of incident response integration
49.9 Practice questions and mock exam
49.10 Lab: integrated case review

Lesson 50: Capstone Project ? End-to-End Investigation

50.1 Scenario introduction
50.2 Setting investigation objectives
50.3 Collecting relevant PCAPs and logs
50.4 Initial triage of traffic
50.5 Identifying malicious indicators
50.6 Reconstructing attacker timeline
50.7 Detecting exfiltration attempts
50.8 Drafting final forensic report
50.9 Presenting findings to stakeholders
50.10 Capstone defense and feedback