The Network Evidence Landscape

What this course is

This is a practical network detection and forensics course — packet-level investigation, protocol analysis, signature detection, and network security monitoring across the full investigation lifecycle. Fifteen modules take you from the network evidence landscape through production NSM architecture, covering every protocol and technique that matters for modern network investigation.

The network saw everything. The packets that carried the C2 commands, the DNS queries that resolved the attacker's infrastructure, the exfiltration that moved the data out, the lateral movement that spread the compromise — every action an attacker takes on a network produces evidence that an investigator can recover. Disk forensics requires a disk. Memory forensics requires a capture. Log analysis requires logs. But the wire was always there, and if you had sensors in place, the evidence was recorded.

This course teaches the investigation methodology that turns raw network evidence into findings. Not Wireshark display filters — systematic investigation using Zeek logs, Suricata signatures, full-packet capture analysis, NetFlow analytics, and DNS trail reconstruction. The existing Wireshark skill on this platform teaches tool mechanics. This course starts where that skill ends — the methodology, the detection engineering, and the architectural decisions that determine whether evidence exists when you need it.

Every investigation scenario uses Northgate Engineering PCAPs — realistic network traffic with attack indicators buried in legitimate enterprise noise. Five NE incidents thread through the course, two cross-reference the Practical IR course scenarios, two cross-reference Linux IR, and the capstone (INC-NE-2026-0830) is an NF-exclusive investigation. If you've completed IR or Linux IR, you'll investigate the same incidents from a fundamentally different evidence source — the network perspective that endpoint evidence alone can't provide.

What this course teaches

Fifteen modules across four phases. NF0 and NF1 are free — no account required.

Phase 1 — Foundations (NF0, NF1). You are here now. NF0 establishes why network evidence matters, introduces the five network evidence types (full-packet capture, session metadata, transaction logs, alert data, statistical records), the Capture-Detect-Investigate methodology, the NSM philosophy, the toolchain, and the NE scenarios. NF1 walks you through building your NSM sensor — an Ubuntu VM with Zeek and Suricata configured to process PCAP files and live traffic.

Phase 2 — Protocol Analysis (NF2–NF7). Six modules covering the protocols that matter for investigation. PCAP acquisition and management — capture methods, BPF filters, storage strategy, and evidence handling (NF2). DNS — the protocol that sees everything: query logs, passive DNS, tunneling detection, DGA identification, and DNS-based C2 (NF3). HTTP/HTTPS and web traffic analysis — URL analysis, TLS fingerprinting (JA3/JA4), certificate anomaly detection, and web-based C2 identification through encrypted traffic (NF4). SMB, RPC, and Windows network protocols — lateral movement detection, file transfer analysis, named pipe activity, and AD replication traffic (NF5). SSH, tunneling, and encrypted channels — SSH session analysis, port forwarding detection, tunnel identification, and encrypted channel anomaly detection (NF6). Email protocols and phishing investigation — SMTP analysis, header forensics, attachment extraction, and phishing delivery chain reconstruction (NF7).

Phase 3 — Detection and Hunting (NF8–NF11). Four modules building the detection and hunting capability. Suricata rule writing and signature detection — rule syntax, protocol-specific signatures, performance tuning, and a production rule library (NF8). C2 detection and beacon analysis — beacon interval analysis, JA3/JA4 fingerprinting for C2 identification, DNS-based C2, and encrypted C2 detection through traffic analysis (NF9). NetFlow, IPFIX, and traffic analytics — flow-based investigation, volume anomalies, long-connection detection, and statistical analysis for exfiltration identification (NF10). Network threat hunting — hypothesis-driven hunting with Zeek logs and NetFlow, hunting cadence, and the query library that makes hunting sustainable (NF11).

Phase 4 — Investigation and Capstone (NF12–NF14). Three modules applying everything to complete investigations. Network evidence in incident response — integrating network findings with endpoint and cloud evidence, timeline construction from network data, and the network evidence section of an IR report (NF12). NSM architecture for production — sensor placement strategy, capture points, retention planning, performance tuning, and scaling from lab to enterprise (NF13). Capstone: INC-NE-2026-0830 — a complete network investigation with no guidance, using every technique from the course (NF14).

You can study the course linearly (NF0 → NF14) or selectively once Phase 1 is complete. Phase 2 modules can be reordered based on your investigation focus — if DNS is your priority, start with NF3; if lateral movement matters most, start with NF5. Phase 3 requires Phase 2 concepts. Phase 4 requires Phases 2 and 3.

Who this course is for

Anyone who needs to investigate or detect threats using network evidence.

SOC analyst investigating beyond endpoint telemetry. You handle alerts from Defender XDR and Sentinel but need the network evidence that endpoint detection doesn't capture — the C2 TLS fingerprint, the DNS trail before the compromise, the exfiltration volume in NetFlow. This course gives you the methodology and toolchain to find what EDR can't see.

IR practitioner building network forensic capability. You respond to incidents and need network evidence to complement disk and memory analysis. When the endpoint evidence is gone — the attacker cleared the logs, the machine was reimaged, the process exited — the network saw everything. This course builds the investigation methodology that closes the gap.

Detection engineer writing network-based detections. You want to build Suricata rules and Zeek scripts for protocol-level detection — not just endpoint EDR rules. NF8 (Suricata rules) and NF9 (C2 detection) are the core modules for you, but the protocol analysis modules provide the understanding that makes your signatures effective.

Security engineer designing NSM architecture. You're responsible for sensor placement, capture strategy, and production-scale PCAP management. NF13 (NSM Architecture for Production) is the engineering module, but the preceding modules give you the investigation context that drives architectural decisions — you can't design a capture strategy without understanding what investigators need.

Anyone who completed Practical IR or Linux IR. You investigated NE incidents from the endpoint perspective. This course investigates the same incidents from the network — the DNS queries the attacker made before the phishing email, the lateral movement packets that crossed site boundaries, the exfiltration volume that the endpoint never logged. A fundamentally different evidence view of attacks you already understand.

Prerequisites

Two required, one recommended.

Networking fundamentals. You should understand the TCP/IP model, what a packet is, how DNS resolution works, and what TCP flags mean. You do not need to be a network engineer — the course teaches protocol-level analysis. You do need to know the difference between TCP and UDP, what port 443 is, and how a three-way handshake works. If these are unfamiliar, spend a week on networking fundamentals (CompTIA Network+ material or equivalent) before Phase 2.

Linux command line basics. The NSM sensor runs on Ubuntu. You should be comfortable with cd, ls, grep, cat, less, and pipe operators. You don't need scripting ability — the course provides complete commands. You do need to navigate a terminal without anxiety. The Wireshark for Security Analysts skill on this platform covers basic packet capture if you want a gentler on-ramp.

Recommended: incident response experience. Understanding what an investigation looks like — evidence collection, timeline construction, containment decisions — makes the network evidence modules richer. The Practical IR or Incident Triage courses provide this context. Not required — the course teaches network investigation as a standalone discipline — but recommended for learners who want to integrate network evidence into broader investigations.

Nothing else is required. No Wireshark expertise (though it helps), no Zeek scripting, no Suricata experience. The course teaches all three from the investigator's perspective.

Lab setup

A single Ubuntu VM with Zeek and Suricata. No cloud subscription, no M365 tenant, no commercial tools.

NSM Sensor VM (built in NF1). Ubuntu 24.04 LTS with Zeek and Suricata installed. 4 GB RAM, 40 GB disk, 2 CPU cores. Runs on VMware Workstation Pro (free), VirtualBox, or Hyper-V. NF1 walks the complete build — OS install, Zeek configuration, Suricata setup, and validation. The sensor processes PCAP files from the lab packs and optionally captures live traffic from your lab network.

PCAP lab packs (downloaded per module). Each module includes a PCAP lab pack with Northgate Engineering scenario traffic — realistic enterprise traffic with attack indicators. The packs are downloaded as you reach each module, not all at once. Total size across the course: approximately 2–4 GB.

Wireshark (optional). Useful for visual packet inspection alongside Zeek and Suricata analysis. Free, cross-platform. Not required — the course uses Zeek and Suricata as the primary analysis tools — but helpful for learners who want to inspect individual packets.

What you can skip: you don't need to install anything before starting NF0. The first module is the evidence landscape — concepts and methodology. Build the sensor VM when you reach NF1. Download PCAP lab packs as you reach each module.

How the course is structured

Every module from NF2 onward follows the Capture-Detect-Investigate methodology.

Objective header. The network investigation problem the subsection solves, the finding it produces, and the time estimate.

Diagram. Every subsection has an SVG diagram — the protocol flow, the attack sequence on the wire, the Zeek log schema, or the detection logic.

Worked investigations. Complete network investigations with real PCAP data — the raw evidence, the Zeek log entries, the Suricata alerts, the analysis, and the finding. The learner sees exactly what the investigator sees.

Decision Point. Investigation judgment calls — is this traffic malicious or legitimate, does this DNS pattern indicate tunneling or a CDN, is this beacon interval C2 or a health check.

Try-it. Investigate the PCAP yourself. Four components: Setup (load the PCAP on your sensor), Task (find the specific evidence), Expected Result (the correct finding), and Debugging Branch (what to check if your analysis differs).

Compliance Myth. Network investigation misconceptions — "encryption makes network forensics useless," "we don't need PCAP if we have EDR," "NetFlow is sufficient for investigation."

Artifact footer. The operational artefact — a Zeek query, a Suricata signature, a BPF filter, an investigation checklist.

Module completion pattern. Each module has content subsections (eight to fourteen), a module summary, and a Check My Knowledge subsection with scenario-based questions. Protocol analysis modules (Phase 2) are the densest.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (NF0, NF1): Two to three evenings. NF0 is the evidence landscape and methodology (8 hours — the longest foundation module because it covers the full evidence taxonomy). NF1 is sensor build (3–4 hours).

Phase 2 (NF2–NF7): Five to seven weeks at five to eight hours per week. Six modules covering every investigative protocol. NF3 (DNS) and NF5 (SMB/Windows) are the longest modules.

Phase 3 (NF8–NF11): Three to four weeks. Four modules covering detection and hunting. NF9 (C2 detection) is the most intensive.

Phase 4 (NF12–NF14): Two to three weeks. Three modules including production architecture and the capstone. NF14 (capstone) requires a full weekend — a complete investigation with no guidance.

Full course at five to eight hours per week: twelve to eighteen weeks. This course pairs well with IR or Linux IR — investigating the same incidents from a different evidence source reinforces both disciplines.

Start here

Go to NF0.1 next. It establishes why network evidence matters by walking a scenario where endpoint evidence is incomplete — the attacker cleared the event logs, the memory was never captured, and the only evidence of the C2 channel and exfiltration volume is on the wire. The network saw everything the endpoint didn't.

After NF0.1, the remaining NF0 subsections cover the five network evidence types, the Capture-Detect-Investigate methodology, the NSM philosophy, the toolchain (Zeek, Suricata, tcpdump, Wireshark, NetworkMiner), the Northgate Engineering scenarios that thread through the course, and a scenario-based knowledge check.

Work through NF0 in order. The five evidence types and the Capture-Detect-Investigate methodology are the framework every subsequent module applies.