Certified Network Forensics Examiner – C)NFE

The Certified Network Forensics Examiner, C)NFE, certification was developed for a U.S. classified government agency. It’s purpose is to push students with a digital and network forensic skill set to the next level. In this course you will navigate through 20+ modules of network forensic topics.

CNFE course equips cybersecurity professionals with the skills to investigate cybercrimes, analyze network traffic, and detect security incidents. This advanced training covers forensic methodologies, intrusion detection, malware analysis, and legal considerations for handling digital evidence.

Participants will learn how to reconstruct network events, track attackers, and use forensic tools to uncover data breaches, insider threats, and cyber espionage activities. This certification is essential for professionals involved in incident response, SOC operations, and forensic investigations.

Learning Outcomes

By the end of this course, participants will be able to:
✅ Understand network forensics methodologies and digital evidence handling
✅ Capture and analyze network traffic for security investigations
✅ Detect and trace intrusion attempts, malware activity, and cyber threats
✅ Utilize Wireshark, Snort, and forensic analysis tools
✅ Investigate DDoS attacks, phishing scams, and insider threats
✅ Ensure legal compliance and maintain chain of custody
✅ Generate detailed forensic reports for legal proceedings

Detailed Outline:

Module 1 -Digital Evidence Concepts

• Overview
• Concepts in Digital Evidence
• Section Summary
• Module Summary

Module 2 -Network Evidence Challenges

• Overview
• Challenges Relating to Network Evidence
• Section Summary
• Module Summary

Module 3 – Network Forensics Investigative Methodology

• Overview
• OSCAR Methodology
• Section Summary
• Module Summary

Module 4 – Network-Based Evidence

• Overview
• Sources of Network-Based Evidence
• Section Summary
• Module Summary

Module 5 – Network Principles

• Background
• History
• Functionality
• FIGURE 5-1 The OSI Model
• Functionality
• Encapsulation/De-encapsulation
• FIGURE 5-2 OSI Model Encapsulation
• Encapsulation/De-encapsulation
• FIGURE 5-3 OSI Model peer layer logical channels
• Encapsulation/De-encapsulation
• FIGURE 5-4 OSI Model data names
• Section Summary
• Module Summary

Module 6 – Internet Protocol Suite

• Overview
• Internet Protocol Suite
• Section Summary
• Module Summary

Module 7 – Physical Interception

• Physical Interception
• Section Summary
• Module Summary

Module 8 – Traffic Acquisition Software

• Libpcap and WinPcap
• LIBPCAP
• WINPCAP
• Section Summary
• BPF Language
• Section Summary
• TCPDUMP
• Section Summary
• WIRESHARK
• Section Summary
• TSHARK
• Section Summary
• Module Summary

Module 9 – Live Acquisition

• Common Interfaces
• Section Summary
• Inspection Without Access
• Section Summary
• Strategy
• Section Summary
• Module Summary

Module 10 – Analysis

• Protocol Analysis
• Section Summary
• Section 02
• Packet Analysis
• Section Summary
• Section 03
• Flow Analysis
• Protocol Analysis
• Section Summary
• Section 04
• Higher-Layer Traffic Analysis
• Section Summary
• Module Summary

Module 11 – Layer 2 Protocol

• The IEEE Layer 2 Protocol Series
• Section Summary
• Module Summary

Module 12- Wireless Access Points

• Wireless Access Points (WAPs)
• Section Summary
• Module Summary

Module 13 – Wireless Capture Traffic and Analysis

• Wireless Traffic Capture and Analysis
• Section Summary
• Module Summary

Module 14 – Wireless Attacks

• Common Attacks
• Section Summary
• Module Summary

Module 15 – NIDS_Snort

• Investigating NIDS/NIPS
• and Functionality
• Section Summary
• NIDS/NIPS Evidence Acquisition
• Section Summary
• Comprehensive Packet Logging
• Section Summary
• Snort
• Section Summary
• Module Summary

 

Module 16 – Centralized Logging and Syslog

• Sources of Logs
• Section Summary
• Network Log Architecture
• Section Summary
• Collecting and Analyzing Evidence
• Section Summary
• Module Summary

Module 17 – Investigating Network Devices

• Storage Media
• Section Summary
• Switches
• Section Summary
• Routers
• Section Summary
• Firewalls
• Section Summary
• Module Summary

Module 18 – Web Proxies and Encryption

• Web Proxy Functionality
• Section Summary
• Web Proxy Evidence
• Section Summary
• Web Proxy Analysis
• Section Summary
• Encrypted Web Traffic
• Section Summary
• Module Summary

Module 19 – Network Tunneling

• Tunneling for Functionality
• Section Summary
• Tunneling for Confidentiality
• Section Summary
• Covert Tunneling
• Section Summary
• Module Summary

Module 20 – Malware Forensics

• Trends in Malware Evolution
• Section Summary
• Module Summary

Detailed Labs Outline:

Module 4, 5 and 6 – Working with captured files

• Lab 1: Sniffing with Wireshark
• Lab 2: HTTP Protocol Analysis
• Lab 3: SMB Protocol Analysis
• Lab 4: SIP/RTP Protocol Analysis
• Lab 5: Protocol Layers

Module 7, 8, 9, 10, 11 – Evidence Acquisition

• Lab 6: Analyzing the capture of MacOf
• Lab 7: Manipulating STP algorithm
• Lab 8: Active Evidence Acquisition

Module 12, 13, 14 – Wireless Traffic Evidence Acquisition

• Lab 9: IEEE 802.11

Module 15: IDS/IPS Forensics

• Lab 10: Use Snort as Packet Sniffer
• Lab 11: Use Snort as Packet Logger
• Lab 12: Check Snort’s IDS abilities with pre-captured attack pattern files

Module 16 and 21 – Network forensics and investigating logs

• Lab 13: Syslog lab
• Lab 14: Network Device Log
• Lab 15: Log Mysteries

Modules 17, 18 – SSL and Encryption

• Lab 16:
  • Step 1: Open a Trace
  • Step 2: Inspect the Trace
  • Step 3: The SSL Handshake
  • Hello Messages
  • Certificate Messages
  • Client Key Exchange and Change Cipher Messages
  • Alert Message
• Lab 17: SSL and Friendly Man-in-the-middle

Module 20 – Malware Forensics

• Lab 18: Analyzing Malicious Portable Destructive Files
• Lab 19: Mobile Malware