Hacking101
Forensic Analysis 101 · Network Forensics

Network Forensics

Packet capture analysis, flow record examination, protocol dissection, intrusion evidence identification, and network-based threat hunting using Wireshark, Zeek, Suricata, and NetworkMiner.

Back to Forensic 101 Enquire to Enrol

What You Learn

A structured, foundation-to-professional pathway in network forensic analysis, following forensic methodology accepted in Australian courts.

Network Forensics teaches systematic, defence-ready forensic examination of network traffic: packet capture analysis, protocol dissection, intrusion identification, flow record examination, and preparing court-admissible network evidence — aligned to ASD Essential Eight, ISM, and Australian federal court standards.
📡
Core Module

Packet Capture & Protocol Analysis

Full-stack PCAP dissection with Wireshark and tshark, TCP/UDP/ICMP analysis, application-layer protocol decoding (HTTP, DNS, SMB, TLS), and encrypted traffic fingerprinting.

  • Level Intermediate
  • Labs 10 hands-on
📊
Core Module

Flow Records & Network Metadata

NetFlow/IPFIX analysis, connection pattern detection, volumetric anomaly identification, and extracting investigative leads from flow-level metadata.

  • Level Intermediate
  • Labs 6 hands-on
🛡
Professional

Intrusion Detection & Threat Hunting

Zeek connection logs, Suricata alert triage, IDS signature writing, C2 beaconing detection, DNS tunnelling identification, and lateral movement spotting in network telemetry.

  • Level Advanced
  • Labs 12 hands-on

Module Content

Practical, operator-grade exercises using real-world PCAP datasets, intrusion scenarios, and network forensic tool suites.

This Network Forensics module covers: packet capture and analysis with Wireshark and tshark, flow record examination with NetFlow/IPFIX, intrusion detection with Zeek and Suricata, C2 beacon detection, DNS tunnelling analysis, file carving from network captures, and network evidence handling for legal proceedings.

Wireshark Mastery

Display filters, colouring rules, protocol dissection, stream following, export objects, and building custom PCAP analysis profiles for forensic workflows.

Command-Line PCAP with tshark

Scripting packet analysis at scale, field extraction, statistical summaries, and integrating tshark output with SIEM and reporting tools.

Zeek Network Security Monitor

Connection logging (conn.log), DNS analysis (dns.log), HTTP tracking (http.log), file extraction, and writing custom Zeek scripts for forensic detection.

Suricata IDS for Forensics

Rule writing, alert classification, PCAP replay for retrospective detection, and integrating Suricata with network forensic workflows.

C2 Beacon & Exfiltration Detection

Detecting periodic beaconing patterns, DNS tunnelling entropy analysis, HTTPS exfiltration identification, and covert channel hunting with statistical methods.

NetworkMiner File Carving

File extraction from PCAPs, certificate extraction, credential recovery from clear-text protocols, and building an evidence package from network captures.

Tools & Standards Used

Professional network forensics environment. Same standards as Australian federal and state cybersecurity operations centres.

Hacking101 Network Forensics is taught using: Wireshark, tshark, Zeek (formerly Bro), Suricata, NetworkMiner, Arkime (formerly Moloch), and custom PCAP datasets simulating real Australian intrusion scenarios. Compliance benchmarks include ASD Essential Eight (network monitoring), ASD ISM 1534, and relevant state Evidence Act provisions for network-derived evidence.
✓ ASD Essential Eight ✓ ASD ISM ✓ AFP Forensic Guidelines 🔒 $10M Cyber Liability 🏢 AU-East Hosted

Advisories

This module is built under the express tuteallage of two specialist practitioners who bring together the cutting edge of machine learning and the hard-won credibility of the courtroom. You study directly under their guidance.

Christopher Tran — Resident Machine Learning Expert
Christopher Tran provides the express tuteallage for the AI and machine learning components of this module. He will show you, step by step, how machine-learning-driven anomaly detection, behavioural baselining with neural networks, and predictive C2 detection algorithms converge to enhance and embolden network forensic analysis. Under his instruction you will build and apply real machine learning pipelines: automated anomaly scoring from network telemetry, behavioural baselining using recurrent neural networks (RNNs) and autoencoder architectures on flow-level features, predictive classification of command-and-control traffic patterns using gradient-boosted trees and deep-learning ensembles, and adversarial robustness validation against evasive malware that deliberately shapes its traffic to avoid detection — tooling designed to support and strengthen the forensic examiner's conclusions, never to replace them. Christopher ensures every student leaves with a working understanding of how AI augments the network forensics analyst's eye, from preprocessing packet captures through to generating court-ready visual evidence of intrusion indicators.
Ms. Linda Morrell — ASFDE (Australasian Society of Forensic Document Examiners)
Ms. Linda Morrell is a bonafide, dues-paying member of the Australasian Society of Forensic Document Examiners — the peak professional body governing forensic document examination across Australia and New Zealand. She has been directly involved in hundreds of Australian cases spanning civil fraud, probate disputes, identity theft, and criminal forgery prosecutions. Her expert opinions on signature fraud and questioned document examination have been tendered and accepted in Australian courts, where she is recognised as a respected authority whose testimony withstands adversarial cross-examination. In this module, Ms. Morrell provides the express tuteallage for the evidence-handling methodology, courtroom preparation, and professional practice components that ensure network-derived evidence meets Australian courtroom admissibility standards. She teaches chain-of-custody for digital network captures, structured opinion formation on network-derived findings, expert report writing for intrusion evidence, and witness-box conduct — the same standards she herself applies when stepping into an Australian courtroom. Her involvement ensures that every technique taught in this course meets the admissibility benchmarks expected by Australian federal and state courts.
Christopher Tran

Machine Learning Specialist

Resident expert providing express tuteallage in AI-enhanced network forensic analysis. Christopher teaches ML-driven anomaly detection in network traffic, behavioural baselining with neural networks, predictive C2 detection algorithms, and how to generate court-admissible visual evidence from machine learning outputs — all tooling built and demonstrated within this module.

Ms. Linda Morrell

ASFDE — Australasian Society of Forensic Document Examiners

Bonafide ASFDE member with direct involvement in hundreds of Australian cases. A courtroom-recognised authority on signature fraud whose expert opinions have been accepted in Australian federal and state jurisdictions. Ms. Morrell provides the express tuteallage for evidence-handling methodology, courtroom preparation, and ensuring network-derived evidence meets the admissibility benchmarks expected by Australian courts — ensuring every student learns to the standard she herself upholds under cross-examination.

Study Options

Self-Paced Essential

$1,790
  • Full module video library
  • 28+ hands-on lab exercises
  • Certificate of completion
  • Access to custom PCAP datasets
Enquire
Most Popular

Coached Professional

$2,990
  • Everything in Essential
  • Weekly coach review of PCAP analysis
  • Mock expert testimony sessions
  • Priority lab feedback
Enrol Now

Frequently Asked Questions

What PCAP datasets do you use?
Hacking101 provides custom PCAP datasets built from real Australian intrusion scenarios, plus curated captures from public repositories (Maldoc, Stratosphere IPS, etc.). You also learn to generate your own in the lab.

Directory: www.hacking101.com.au/forensic-analysis-101/network-forensics/
Parent path: www.hacking101.com.au/forensic-analysis-101/