DC3 Twitter DC3 YouTube DC3 LinkedIn DC3 Facebook
DC3 Banner


NIT480, Live Network Investigations (LNI)


Who Should Attend:
DoD, federal law enforcement and technical support staff who require the ability to investigate live network traffic and environments.

Prerequisites:
TT110 (INCH), RT120 (CIRC), NIT301 (NMC), NIT470 (ALA),
FT210 (WFE-E) or FT215 (WFE-FTK) and one of the following:
IT250 (FISE), IT260 (FIWE) or IT270 (FILE)

Duration:
10 Days

Course Description:
Trains students to conduct an intrusion investigation on large-scale, heterogeneous networks that are actively being compromised by unknown attackers. Students learn to assess the scope of a live, dynamic incident and apply a variety of investigative techniques while on-scene to identify the source, target, and methods of a network compromise through the use of free and commercially available tools.

Objectives:

  • Prepare for and assess the scope of a live dynamic network incident response
  • Apply a variety of investigative techniques while on-scene
  • Identify the source, methods used, and target of an intrusion
  • Explain how to collect evidence in a live enterprise environment
  • Perform an initial scope assessment with minimal data and constantly reassess scope based upon new findings
  • Collect and analyze volatile data from multiple network devices and compromised computers
  • Set up a system of network monitoring sensors and readjust the sensors during the course of the investigation
  • Conduct a timely and efficient intrusion investigation on live servers with a variety of operating systems
  • Use system entrenchment and monitoring techniques to further identify malicious activity on a known-compromised network segment

Topics Covered:

Enterprise Networks and Intrusions

  • Enterprise Architecture and Intrusion Methodology

Investigative Methodology

  • Incident Response Lifecycle
  • Incident Preparation, Case Management and Investigating Using the Scientific Method

LNI Detection and Analysis

  • Witness Device Processing
  • System Processing: Tools, Volatile Data Analysis and Direct Command Execution, Memory Dump, Live Imaging and Analysis
  • Network Monitoring
  • Malicious Code Analysis

Continuation of the Incident Response Life Cycle

  • Containment, Eradication, Recovery and Post-Incident Activities
  • Interim and Final Reports

LNI Course Description

Page Last Modified: 03 December 2010  |  Page Last Reviewed: 03 December 2010  |  DoD   |   USA.gov   |   External Link Disclaimer   |   Disclaimer