Network Intrusion and Incident Investigation (NETINT)

Purpose

To achieve prowess in the area of network intrusion and incident investigation, a tech crime investigator must master concepts and skill sets encompassing various aspects of network security, incident handling, intrusion detection and computer crime investigation. To this end, this course is designed to arm high tech crime investigators with the basic knowledge and skills necessary to evaluate a network intrusion complaint, determine the need to investigate the incident, and complete a successful investigation of the incident when warranted.

On this course, participants will review core Internet networking concepts and examine them more thoroughly from an incident investigator’s perspective. They will learn what types of logging information sources can be employed to assess an intrusion or incident, and discover how to apply techniques for properly gathering such evidence. Drawing on existing networking knowledge, participants will learn how to process and correlate their digital evidence using high-level analysis tools and incident assessment metrics. Participants will then learn how to use their analysis to establish the type and scope of a reported incident, assess the need for investigation and further any necessary investigative efforts towards a successful case conclusion. Finally, participants will become versed in common incident handling terminology, procedures and security concepts as well as the use of investigative aids such as attacker profiling and tracking for situations where they are required to coordinate with network administrators and security professionals in the public and private sectors.

Objectives

At the end of this course, successful participants will be able to:

• Confer with complainants of varied technical ability;
• Evaluate a complaint of network intrusion or other network security-related incident;
• Capture network traffic with an industry-accepted packet sniffer;
• Determine the network addressing schemes employed in a network, the routes into and out of a network, and the access controls on network traffic;
• Distinguish normal traffic from abnormal protocol subversion or exploitation in order to focus the investigative effort;
• Determine the scope and impact of a network security incident;
• Use industry-standard examination tools to manage network traffic data sets and filter out events of interest;
• Recognise the multi-jurisdictional aspects of an incident and modify their investigative strategies accordingly;
• Recognise major categories of an exploit or attack;
• Assess which intrusion detection techniques are most suited to a particular situation;
• Employ intrusion detection tools as part of an incident examination tool kit;
• Formulate and apply effective analysis strategies;
• Gather logging evidence provided by routers and network security devices in a network and decipher how the operation of these devices may have influenced the perception of network events;
• Engage in formal and informal avenues of coordination and information sharing with other law enforcement agencies and investigative bodies at local, national or international levels; and
• Recognise common types of intrusion detection systems and the reporting capabilities they possess.

Course Content

• TCP/IP fundamentals
• application protocols
• packet sniffing and principles of network traffic examination
• foundations of network security
• exploits and attacks
• routers and network security devices
• network intrusion detection and related tools
• introductory log analysis
• incident assessment and investigation
• multi-juridictional investigations

Participant Selection Criteria

Participants are required to fulfill the following criteria in order to be admitted on this course. They must:

• be established as a technological crime investigator with a requirement to investigate network intrusion or network security-related cases;
• have successfully completed the following CPC courses:
  • Computer Forensic Examiner Course
  • Network Principles and Investigative Techniques Course
  • Linux Forensic Techniques Course
  or provide sufficient justification if they feel they have the requisite knowledge;
• have completed the pre-course reading assignment (provided upon course registration), and;
• be comfortable with using both Windows- and Linux-based operating systems

Participant Assessment

The course consists of interactive lecture sessions and hands-on training exercises provided in the computer classrooms of the Technological Crime Learning Institute. Participants must be present for and participate in all course modules included in the syllabus in order to gain credit for this course.

To obtain certification, participants must successfully pass a written exam and a practical exam with an overall mark of 75% or more.

Duration of Course: Two weeks (10 working days)

Location: Canadian Police College campus in Ottawa

Number of Participants: A minimum of 12 participants is required to deliver this course, up to a maximum of 20 participants

Language: This course is offered in English