Certified Network Forensic Analysis Manager (C-NFAM)

The Certified Network Forensic Analysis Manager certification course was originally developed for the U.S. government, and has now been made available to city, county, and state law enforcement agencies. Civilian personnel outside of the law enforcement community are also authorized to attend and will receive practical training for their business environments.

This comprehensive course brings incident response and network forensic core competencies to advanced levels by presenting students with 16 detailed learning objectives. Students will be provided with both experiential knowledge and practical skills that simulate real-world scenarios, investigations, and recovery of evidentiary data in systems and networks. Students will cover topics such as Incident Response Management, Live Data Collection, Analysis Methodology, and Malware Triage. Practical lab exercises utilize the Project Ares® Cyber Range and Wireshark network protocol analyzer software.

Register Today for the Next Training Session

The Certified Cyber Incident Response Manager course is a component of the career progression track that supports the required Categories, Specialty Areas and Work Roles as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework.  It provides a common language to speak about cyber roles and jobs and can be referenced to define professional requirements in cybersecurity.

COUNTERINTELLIGENCE FORENSICS ANALYST
(IN-FOR-001)

CYBER DEFENSE INCIDENT RESPONDER
(PR-CIR-001)

CYBER DEFENSE FORENSICS ANALYST
(IN-FOR-002)

ALL SOURCE-COLLECTION MANAGER
(CO-CLO-001)

CYBER CRIME INVESTIGATOR
(IN-INV-001)

EXPLOITATION ANALYST
(AN-EXP-001)

Course Outline and Knowledge Points

Introduction to Network Forensic Investigations

  • Network Forensics vs. Digital Forensics
  • What Constitutes an Incident?
  • What is Incident Response?
  • The Incident Response Life Cycle
  • Concept of the Attack Life Cycle
  • 7 Stages of the Attack Life Cycle

Overview of Common Network Devices

  • Firewall Functionality and Logging
  • Stateful vs. Stateless Inspection
  • Host-, Network-, and Application-Based Firewalls
  • Network Switches and Routers
  • Intrusion Detection and Prevention Systems
  • Unified Threat Management

Overview of Common Network Services

  • Enterprise Services
  • Dynamic Host Configuration Protocol (DHCP)
  • Domain Name System (DNS)
  • Enterprise Management Applications
  • Antivirus Software
  • Web and Database Servers

Fundamentals of Secure Network Architecture

  • Security Architecture Frameworks
  • Reference Security Architecture
  • The Secure Development Life Cycle
  • Architectural Design Documentation (ADD)
  • Architectural Domains: The Four Pillars
  • Zero Trust Networks

Incident Response Management

  • Common Security Incidents
  • Goals of Incident Response
  • Incident Response Team Considerations
  • Indicators of Compromise (IOC’s)
  • Analyzing Data Evidence
  • Tracking Investigative Information

Investigative Principles and Lead Development

  • Understanding Elements of Proof
  • Incident Scene Management
  • Chain of Custody
  • The Purpose of Investigations
  • Investigative Interview Strategies
  • Documenting Interviews

Investigation Planning and Preparation

  • Defining the Network Forensic Mission
  • Internal Communication Procedures
  • External Communication Procedures
  • Forensic Team Deliverables
  • Building a Field Forensic System
  • Preparing the Infrastructure

Forensic Analysis Methodology

  • General Process for Performing Analysis
  • Available Sources of Data
  • Outlining the Analysis Approach
  • Selection of Analysis Methods
  • Special Considerations for Artifacts
  • Evaluating Analysis Results

Principles of Network Evidence

  • The Case for Network Monitoring
  • Types of Network Monitoring
  • Setting Up a Network Monitoring System
  • Network Surveillance
  • Network Sensor Deployment
  • Network Logging Challenges

Initiating Network Forensic Investigations

  • Time Zones and Investigative Timelines
  • Collecting Initial Facts
  • Network and Incident Checklists
  • Malware Details Checklists
  • Maintaining Case Notes
  • Building an Attack Timeline

Initial Development of Leads

  • Defining Leads of Value
  • Turning Leads into Indicators
  • The Life Cycle of Indicator Generation
  • Indicator Verification
  • Resolving Internal Leads
  • Reporting Findings to Law Enforcement

Principles of Live Data Collection

  • When to Perform a Live Response
  • Live Response Challenges
  • Selecting a Live Response Tool
  • Data Collection Considerations
  • Common Live Response Data
  • Collection Best Practices

Investigating Windows Systems

  • Windows System Overview
  • System and Event Logs
  • Windows Registry Evidence
  • Windows Services and Processes
  • Memory Forensics
  • Alternative Persistence Mechanisms

Investigating Applications

  • Investigating Applications Overview
  • Windows: Application Data Storage
  • General Investigative Methods
  • Investigating Web Browsers
  • Investigating E-Mail Clients
  • Investigating Instant Message Clients

Static and Dynamic Malware Triage

  • Malware Triage Concepts
  • Malware Handling Procedures
  • Malware Distribution and Documentation
  • Physical and Virtual Triage Environments
  • Automated, Manual, Static, and Dynamic Analysis
  • Malware Runtime Monitoring

Forensic Strategies for Incident Remediation

  • Effective Incident Remediation
  • Assigning a Remediation Owner
  • Remediation Posturing Actions
  • Eradication Plan Development
  • Plan Timing and Execution
  • Strategic Recommendations and Lessons Learned

Course Learning Objectives

Upon successful completion of the C)CIRM training program, participants will be able to:

  • CLO #01: Identify the purpose of enterprise network devices such as firewalls (stateless, stateful, host, network, and application), switches, routers, access control lists, intrusion detection and prevention systems, unified threat management devices, and sources of critical logs.
  • CLO #02: Describe the purpose of enterprise network services such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), network-level DNS logging, management applications, antivirus software, quarantine files, and network log files.
  • CLO #03: Demonstrate network forensic and investigation techniques using labs an industry tools such as Wireshark network protocol analyzer, Autopsy forensic software, Windows Registry Editor, file and record carving, document and photo reconstruction, and recovering deleted files.
  • CLO #04: Determine a malware policy based on industry best practices which addresses the identification of malicious files, initial triage, handling procedures, documentation and distribution guidelines, static and dynamic analysis methods, and the use of sandboxes for automated analysis.
  • CLO #05: Summarize investigative practices that include elements of proof, field investigation toolkits, incident scene management, evidence dynamics, chain of custody, investigative interview strategies, non-verbal communication, and Locard’s Principle of Exchange.
  • CLO #06: Evaluate critical sources of forensic evidence including Windows file systems, volatile and persistent memory, event logs, process tracking, web-based applications (browsers, email, and instant messages), malware files, and malicious websites.

Project Ares® Cyber Range Labs

Students enrolled in classroom or instructor-led online formats of this course will be using the Project Ares® Cyber Range for practical labs.  Project Ares® Cyber Range labs are available to self-study students for an additional fee.

Instructor-Led & Self-Guided Wireshark Lab Exercises

Creating the Virtual
Machine for Labs

The Wireshark
User Interface

Customizing
Wireshark Settings

Applying
Capture Filters

Applying
Display Filters

Color Rules and
Packet Export

Creating Tables
and Graphs

File and Object
Reassembly

Adding Comments
to Trace Files

Command-Line
Capture Tools

Course Training Materials

Exam Prep Guide

Course Workbook & Labs

Lab Images (if Applicable)

Practice Assessment Quizzes

40-Hour CPE Credit Certificate

Knowledge Assessment Examination

Knowledge Assessment Exam

Upon completion of online courses, students will be prepared to sit for the knowledge assessment exam. The online examination will consist of True/False, Multiple Choice, and Fill in the Blank questions. The exam may be taken at any time within 6 months of completing the certification course.

Students will have two hours to complete a computer-based examination consisting of 100 questions. A score of 70% or higher is required to earn the certification. Upon successful completion of the exam, students will be sent a hardcopy of their certification and their CPE credit documentation via email (PDF format) within 72-hours of the exam date.

The examination is “closed book.” However, students will be allowed to use their notes on material presented during the course as well as their Course Workbooks.