Jonathan Ham on the web
This is the canonical site for all courseware for “Netwok Forensics: Hunting with Packets”. Links to course materials will be posted here as they become available.
If there’s something we’ve said we’d post and you don’t see it here, check back, or please email or tweet @jhamcorp!
Antisyphon InfoSec Training Things like recommended reading lists, etc., coming soon here! Quick Links Network Forensics: Huting with Packets
 jham corp.
January 25 @ 11:00 am - January 28 @ 4:00 pm EDT, $495. Register HERE.

Threat hunting is all the rage! The idea is to take the fight to Evil, rather than waiting for Evil to inform us that our assets are pwnd (and kindly cough up some Bitcoin, please). But how do we accomplish this? Unfortunately, what’s finally in vogue is still pretty vague in practice.
Generally, hunting is fundamentally about identifying and understanding our quarry, the field within which it dwells, the ways in which it can be found and positively identified, and successfully taking it out of the field. In Montana, we then typically fieldstrip it and put it in our freezers, but that’s a very specific case generally involving only elk and deer.
That’s what this course is for: understanding the mechanics behind the field, the quarry, the scopes, and the firing pins. Because let’s face it: if your quarry knows the hunt better than you, and they typically do, you’ll never succeed.
We’ll cover the TCP/IP protocol structures mechanically: what they are for, how they work, how they can be subverted, and most importantly, how to tell the difference. What is it about the way that name resolution protocols work that make them such fantastic protocols to abuse? And in so many ways? What secrets can hide in a simple TCP 3-Way Handshake? Why would I care about an ICMP type 3 code 12 message?
We’ll also cover the basics of the tools of our tradecraft, and how they work as well: libpcap, Berkeley Packet Filtering (BPF), tshark, Zeek, Snort, etc., with actual nuts and bolts. Also, we’ll review why sometimes the bolts get stripped and the nuts don’t screw on quite right.
If you’re looking at packets in hex, and you notice that a TCP acknowledgement number of 0xC0A80A64 seems sort of suspicious, then get back to work. If you’re supposed to be hunt-ing threats today, and you’re unsure why a TCP acknowledgement number of 0xC0A80A64 might seem suspicious, then register for this course.

Course Materials/Requirements:
The virtual machine is a slightly modified version of Security Onion, v16.04.6.4, built on VMware Workstation 16 Pro. It should run just fine in either VMware Workstation or Player (other hypervisor platforms may work but have not been tested). The VM has been configured to expect:
64GB HDD space (split files)
2 CPU cores
Bridged networking, with 
DHCP available on the local LAN/WLAN.
The files to download are jhc_SO- and jhc_SO-
I advise you to download it and test it out in advance. It is ~3.7GB. The username is “student” and the password (including for “sudo”) is “jhc_packets”.
Whatever you do, please do not update or upgrade anything prior to class, as this may break the labs in unknown ways.

The optional course textbook is Network Forensics: Tracking Hackers Through Cyberspace.

The lecture/lab slides will be posted here shortly before class begins.
Google Jonathan
Jonathan on LinkedIn
Jonathan on Amazon
@jhamcorp on Twitter
The SANS Institute