Network Archaeology


Tracking malware activity, malicious user activity, and accidental insiders through the network can be a challenge. Start with network analysis fundamentals and build up more complex analysis. Dig into basic cryptanalysis and obfuscation. Finally apply all your skills to reverse engineer custom binary protocols with obfuscation to stay on the trail.

Inspect network traffic and log files to find evidence, malware, or behavior. Reverse engineer unknown binary protocols and dig for covert channels hidden in standard network protocols. Analyze encrypted data to extract keys.

What to Expect

The Network Archaeology is a self-paced lab class, with intermittent instructor lectures. Some participants may find the first dozen or so labs easy; they are encouraged to proceed through as quickly as they like. The instructor will lead occasional “how-to” lectures, starting with the first lab, eventually bringing the class to the same point. Between lectures, instructors will wander the room helping people with labs.

This class is taught using Linux. The instructor will exclusively use command-line tools, to create increasingly powerful tools, but participants can make decent progress using Wireshark (local install) and Cyber Chef (web-based tool).

Classes general start at 8:00 AM and wrap up at 5:00 PM. Please consult the schedule for this event for exact times. Breaks mid-morning, lunch and mid-afternoon give you a chance to clear your mind or continue working on exercises at your discretion.

Each lab exercise either introduces new concepts or builds on previously presented concepts. Very few people make it through every exercise so come ready to be constantly engaged and learning.

Day 1 (typically):

  • Hexadecimal
  • Network Protocols (HTTP, SMTP, FTP, SSL, DNS)
  • Byte structure of TCP/IP
  • Encoding schemes (Hex, Base64)
  • Examining packet captures
  • Extracting transferred data from packet captures
  • Attack techniques against weak encryption
  • Helpful tools for Network Archaeology

Day 2 (typically):

  • Entropy as it relates to cryptography
  • Application-layer protocol tunnelling
  • Using sequencing meta-information to reconstruct transferred information
  • Analysis and decoding of novel binary protocols with no prior knowledge
  • Attacking novel compression with no prior knowledge
  • Attacking novel weak cryptography with no prior knowledge

Who should attend?

  • Networking engineers
  • Software engineers
  • Applied Mathematicians
  • System Administrators
  • Site Reliability Engineers

Is this the right class for me?

This class is broadly interesting to anyone who wants a better understanding of the process of network packet forensic techniques. Even if you don’t intend to engage in this activity in your job, going through the instructor-led exercises will provide insight into challenges facing your organization.

What should I bring?

  • Linux (inside a VM is fine, use Ubuntu 16.04 or later if you don’t have a preference)
  • 100M free hard drive space
  • Wireless Networking
  • Development tools: gcc, make (build-essential package in Ubuntu)
  • Wireshark
  • Chrome, Chromium, or Firefox

Laptop Configuration

Laptop and software setup sessions usually happen the afternoon or evening before the first day of class. Please check the schedule for details and come early if you would like help making sure everything is ready to go for class.

Ubuntu / Debian Machines

sudo apt install build-essential wireshark vim file tcpdump tcpflow curl

Other Linux

Here is what you should bring, either in a virtual machine, or natively on your laptop:

  • Your favorite Linux flavor: we suggest Ubuntu 16.04
  • Wireshark
  • Chrome, Chromium, or Firefox
  • Python 3
  • Vim
  • File (the Unix utility)
  • Tcpdump
  • Tcpflow
  • Curl
  • One of the following: