🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GNFA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GNFA GIAC Certifications Coming Soon

GNFA

The GIAC Network Forensic Analyst (GNFA) certification trains professionals to acquire, dissect, and interpret network evidence, covering protocol analysis, NetFlow, proxy/firewall logs, and wireless forensics for precise threat detection.

180
Minutes
66
Questions
70/100
Passing Score
$979
Exam Cost

Who Should Take This

It is intended for incident responders, network security engineers, and forensic analysts with at least two years of hands‑on experience in TCP/IP environments who seek to deepen packet‑level investigation skills and master advanced traffic‑pattern and log‑analysis techniques and to enhance their ability to present findings to stakeholders.

What's Covered

1 Network Evidence Acquisition and Architecture
2 Network Protocol Analysis
3 NetFlow and Traffic Pattern Analysis
4 Proxy, Firewall, and Log Forensics
5 Wireless Network Forensics
6 Encrypted Traffic Analysis
7 Network-Based Malware Detection and Investigation

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Network Evidence Acquisition and Architecture
2 topics

Network traffic capture fundamentals

  • Describe network evidence types including full packet capture (PCAP), NetFlow/IPFIX records, DNS query logs, proxy logs, firewall logs, and IDS/IPS alerts, and explain the forensic value and storage tradeoffs of each evidence tier.
  • Identify network capture deployment architectures including network TAPs, SPAN/mirror ports, inline capture appliances, and cloud VPC traffic mirroring, and explain the visibility and reliability characteristics of each approach.
  • Implement full packet capture infrastructure using tcpdump, dumpcap, or dedicated capture appliances with BPF (Berkeley Packet Filter) expressions, file rotation, and storage management for sustained high-throughput network recording.
  • Assess capture infrastructure completeness by evaluating network visibility gaps, identifying encrypted tunnel blind spots, and recommending capture point placement to maximize forensic coverage across segmented enterprise networks.

Zeek (Bro) network security monitoring

  • Describe Zeek's architecture including its event engine, scripting framework, log output format, and the standard log files generated (conn.log, dns.log, http.log, ssl.log, files.log, notice.log) with their forensic applications.
  • Implement Zeek deployment for network traffic analysis with cluster configuration, custom scripts for organization-specific detection logic, and integration with log aggregation platforms (Elasticsearch/Splunk) for searchable network metadata.
  • Implement Zeek log analysis for forensic investigation by querying conn.log for long-duration connections, dns.log for suspicious resolution patterns, http.log for malware download indicators, and ssl.log for certificate anomalies.
  • Evaluate Zeek detection coverage against known attack patterns, identify gaps in protocol parsing or custom script logic, and recommend tuning improvements to reduce false positives while maintaining detection fidelity for network-based threats.
2 Network Protocol Analysis
6 topics

TCP/IP and transport layer analysis

  • Describe TCP connection lifecycle including three-way handshake, sequence/acknowledgment number tracking, window sizing, retransmission behavior, and connection teardown (FIN/RST) as they relate to forensic session reconstruction.
  • Implement TCP stream reassembly in Wireshark to reconstruct application-layer conversations, extract transferred files, and identify session hijacking or injection attempts through sequence number analysis and TCP flag anomalies.
  • Analyze IP packet headers to identify fragmentation-based evasion, TTL-based traceroute mapping, IP spoofing indicators, and encapsulation tunnels (GRE, VXLAN, IP-in-IP) used to obscure malicious traffic paths.

DNS forensics

  • Describe DNS protocol mechanics including query types (A, AAAA, CNAME, MX, TXT, NS, PTR), recursive versus iterative resolution, TTL caching behavior, and DNSSEC validation relevant to forensic DNS analysis.
  • Implement DNS log analysis using passive DNS databases, Zeek dns.log, and DNS query logging to identify suspicious resolution patterns including fast-flux domains, excessive NXDOMAIN responses, and DNS tunneling indicators.
  • Implement DNS tunneling detection by analyzing query/response size ratios, entropy of subdomain labels, query frequency patterns, and TXT record payload sizes to identify covert data exfiltration channels over DNS.
  • Analyze domain generation algorithm (DGA) activity by examining DNS query patterns for high-entropy domain names, mathematically generated strings, and registration timing to identify malware C2 infrastructure and sinkholing opportunities.

HTTP and web protocol analysis

  • Describe HTTP/1.1 and HTTP/2 protocol structure including request methods, status codes, headers (Host, User-Agent, Cookie, Referer), content encoding, and chunked transfer encoding relevant to forensic web traffic reconstruction.
  • Implement HTTP session reconstruction from PCAP using Wireshark HTTP object export, tshark field extraction, and NetworkMiner to recover transferred files, form submissions, and API call sequences from captured web traffic.
  • Analyze HTTP traffic to identify web application attacks (SQL injection, XSS, path traversal), malware download cradles, webshell communications, and C2 over HTTP by examining URI patterns, headers, and payload content.

SMB and file sharing protocol analysis

  • Describe SMB/CIFS protocol versions (SMBv1, SMBv2, SMBv3), authentication mechanisms (NTLM, Kerberos), named pipe operations, and file access patterns relevant to detecting lateral movement and data exfiltration over Windows file sharing.
  • Implement SMB traffic analysis using Wireshark SMB/SMB2 dissectors to reconstruct file transfers, identify PsExec-style remote execution, detect named pipe abuse for C2, and extract transferred file contents from packet captures.
  • Analyze SMB traffic patterns to detect ransomware propagation (mass file encryption over network shares), unauthorized admin share access (C$, ADMIN$), and credential relay attacks including NTLM relay and SMB signing downgrade attempts.

Email protocol forensics

  • Describe email protocol mechanics including SMTP transaction flow, MIME encoding, email header analysis (Received, X-Originating-IP, SPF/DKIM/DMARC), and attachment handling relevant to phishing investigation and email forensics.
  • Implement email header analysis to trace message routing paths, identify spoofed sender addresses, extract originating IP addresses, and evaluate SPF/DKIM/DMARC authentication results for phishing email investigation.
  • Analyze email-based attack campaigns by correlating header artifacts, attachment hashes, embedded URLs, and sender infrastructure to identify phishing kit reuse, business email compromise patterns, and targeted spearphishing attribution indicators.

FTP and SSH protocol forensics

  • Describe FTP protocol mechanics including active versus passive mode data connections, command/response sequences (USER, PASS, RETR, STOR, LIST), clear-text credential exposure, and FTPS/SFTP differences relevant to forensic traffic reconstruction.
  • Implement FTP session reconstruction from PCAP captures by extracting command sequences, correlating control and data channel connections, recovering transferred file contents, and identifying credentials from clear-text authentication exchanges.
  • Describe SSH protocol handshake sequence including key exchange negotiation, host key verification, authentication methods (password, publickey), and session channel multiplexing, and identify forensic metadata available without decryption.
  • Implement SSH traffic analysis using Zeek ssh.log to identify brute-force authentication attempts, detect SSH tunneling through packet size analysis, and flag unauthorized SSH server deployments on non-standard ports across the enterprise network.
  • Analyze FTP and SSH usage patterns to identify unauthorized data transfers, detect exfiltration through encrypted channels, and correlate file transfer timing with known compromise indicators from other network evidence sources.
3 NetFlow and Traffic Pattern Analysis
2 topics

NetFlow/IPFIX collection and analysis

  • Describe NetFlow v5/v9 and IPFIX record formats including flow keys (source/destination IP, ports, protocol), counters (bytes, packets), timing fields, and the differences between unidirectional and bidirectional flow records.
  • Implement NetFlow collection and analysis using nfdump, SiLK, or Elasticsearch with flow data to query traffic patterns, generate top-talker reports, and identify anomalous communication patterns across enterprise network segments.
  • Implement flow-based lateral movement detection by analyzing internal east-west traffic patterns, identifying unusual port usage, detecting port scanning activity, and flagging connections to previously unseen internal services.
  • Analyze flow data to estimate data exfiltration volumes by correlating outbound transfer sizes with known sensitive data locations, identifying unusual upload ratios, and detecting staged data movement through intermediate systems.

Beaconing and C2 traffic analysis

  • Describe command-and-control communication patterns including periodic beaconing, jittered intervals, long polling, domain fronting, and protocol-agnostic C2 frameworks (Cobalt Strike, Sliver, Mythic) and their network signatures.
  • Implement beaconing detection using statistical analysis of connection intervals, payload size distributions, and session duration patterns to identify periodic C2 callbacks hidden within normal web browsing traffic.
  • Analyze C2 traffic to determine adversary capabilities, extract configuration data from beacons, identify C2 infrastructure relationships, and assess the operational security measures used by the threat actor to evade network detection.
4 Proxy, Firewall, and Log Forensics
2 topics

Proxy log analysis

  • Describe web proxy log formats (Squid, Blue Coat/Symantec, Zscaler) including fields for timestamp, client IP, HTTP method, URL, response code, bytes transferred, user-agent, and content type useful for forensic web activity reconstruction.
  • Implement proxy log analysis to reconstruct user browsing sessions, identify drive-by download events, detect unauthorized cloud storage uploads, and trace the delivery chain of malware from initial URL through redirect sequences to payload download.
  • Analyze proxy logs to identify C2 traffic patterns including unusual user-agent strings, periodic connections to uncategorized domains, CONNECT method tunneling, and high-frequency polling indicative of automated malware communication.

Firewall and IDS/IPS log analysis

  • Describe firewall log formats and fields including source/destination addressing, port information, action (allow/deny/drop), rule identifiers, byte counts, and session tracking useful for network perimeter forensic analysis.
  • Implement firewall log analysis to identify reconnaissance activity (port scans, service enumeration), unauthorized outbound connections, policy violation patterns, and perimeter bypass attempts through allowed service exploitation.
  • Implement IDS/IPS alert correlation with Snort/Suricata rules to validate true positive detections, reconstruct attack sequences from alert chains, and extract relevant PCAP segments for deep packet analysis of flagged events.
  • Evaluate firewall and IDS effectiveness by analyzing detection gaps, rule coverage blind spots, and evasion techniques that allowed malicious traffic to pass undetected, and recommend rule and policy improvements.
5 Wireless Network Forensics
2 topics

802.11 wireless capture and analysis

  • Describe 802.11 frame types (management, control, data), SSID broadcasting, association/authentication sequences, and WPA2/WPA3 handshake mechanisms relevant to wireless network forensic capture and analysis.
  • Implement wireless packet capture in monitor mode using aircrack-ng suite or Kismet, configure channel hopping strategies, and capture WPA handshakes for offline analysis while maintaining forensic capture integrity.
  • Analyze wireless traffic captures to identify rogue access points, evil twin attacks, deauthentication attacks, client probing behavior, and unauthorized wireless device connections using Wireshark 802.11 dissectors and Kismet logs.

Bluetooth and proximity protocol forensics

  • Describe Bluetooth Classic and BLE (Bluetooth Low Energy) protocol stacks, pairing mechanisms, device discovery procedures, and GATT service enumeration relevant to forensic analysis of short-range wireless communications.
  • Implement Bluetooth device scanning and traffic capture using Ubertooth, nRF Sniffer, or hcitool to identify nearby devices, capture pairing exchanges, and analyze BLE advertisement data for forensic device identification and tracking.
  • Analyze Bluetooth forensic artifacts to correlate device proximity events, reconstruct pairing histories, identify rogue Bluetooth devices, and assess wireless exfiltration risk through Bluetooth file transfer evidence in packet captures.
6 Encrypted Traffic Analysis
2 topics

TLS/SSL forensic analysis

  • Describe TLS handshake sequence including ClientHello/ServerHello messages, cipher suite negotiation, certificate exchange, key derivation, and the differences between TLS 1.2 and TLS 1.3 that affect forensic metadata availability.
  • Implement JA3/JA3S TLS fingerprinting to identify client applications and server configurations from encrypted traffic metadata, build fingerprint databases, and detect known malware TLS signatures without requiring decryption.
  • Implement TLS certificate analysis to identify suspicious certificates including self-signed certificates, short-lived certificates, certificates with unusual subject names, and certificate authority anomalies indicative of MITM or C2 infrastructure.
  • Analyze encrypted traffic patterns using flow metadata, packet timing, certificate chains, and TLS fingerprints to classify traffic types, identify malicious encrypted sessions, and assess the feasibility of detection without full content inspection.

Encrypted protocol and tunnel detection

  • Identify network tunneling and encapsulation protocols including SSH tunnels, VPN protocols (OpenVPN, WireGuard, IPSec), DNS over HTTPS (DoH), DNS over TLS (DoT), and ICMP tunneling, and describe their detection indicators in network traffic.
  • Implement tunnel detection using traffic analysis techniques including packet size distribution analysis, protocol identification heuristics, and behavioral patterns to identify SSH data tunnels, DNS-over-HTTPS covert channels, and ICMP data exfiltration.
  • Evaluate the effectiveness of encrypted channel detection strategies, assess the tradeoffs between inspection capability and privacy/performance impact, and recommend monitoring approaches that balance forensic visibility with operational constraints.
7 Network-Based Malware Detection and Investigation
2 topics

Network malware indicators and file carving

  • Describe network-based malware delivery mechanisms including exploit kit traffic patterns, malicious document download chains, drive-by download redirect sequences, and watering hole attack indicators visible in network traffic.
  • Implement file carving from PCAP captures using Wireshark export objects, foremost, tcpxtract, and NetworkMiner to extract executables, documents, scripts, and archives transferred over HTTP, FTP, and SMB for malware analysis triage.
  • Implement DNS sinkholing to redirect malware C2 domain resolutions to controlled infrastructure, capture callback traffic from infected hosts, and enumerate the scope of infection across the enterprise through sinkhole connection analysis.
  • Analyze carved files using hash lookups (VirusTotal, NSRL), YARA rule scanning, and sandboxing submissions to determine malware family classification, capabilities, and C2 infrastructure without performing full reverse engineering.

Network investigation synthesis and reporting

  • Implement comprehensive network investigation documentation that correlates PCAP evidence, flow records, log analysis, and protocol findings into a structured forensic report with timeline, IOC appendix, and evidence chain references.
  • Evaluate network security posture based on forensic findings to identify monitoring gaps, recommend detection rule improvements, and assess whether existing network visibility supports timely identification of the observed attack techniques.

Scope

Included Topics

  • All domains covered by the GIAC Network Forensic Analyst (GNFA) certification aligned with SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response.
  • Network evidence acquisition techniques including full packet capture (PCAP), NetFlow/IPFIX collection, network tap and SPAN port deployment, and cloud-based traffic mirroring.
  • Deep protocol analysis using Wireshark, tshark, and Zeek (Bro) for HTTP/HTTPS, DNS, SMB/CIFS, FTP, SMTP, SSH, TLS, and custom protocol dissection.
  • NetFlow and IPFIX analysis for traffic pattern characterization, anomaly detection, lateral movement identification, data exfiltration volume estimation, and long-duration connection analysis.
  • Proxy log, firewall log, and web server log forensic analysis for reconstructing user activity, identifying C2 communications, and detecting policy violations.
  • Wireless network forensics including 802.11 frame capture, SSID analysis, rogue access point detection, WPA handshake capture, and Bluetooth/BLE artifact analysis.
  • Encrypted traffic analysis techniques including TLS metadata analysis (JA3/JA3S fingerprinting, certificate analysis), DNS over HTTPS detection, and statistical traffic classification without decryption.
  • Network-based malware detection using DNS sinkholing, domain generation algorithm (DGA) identification, beaconing analysis, and C2 protocol pattern recognition.

Not Covered

  • Host-based digital forensics including disk imaging, file system analysis, and registry forensics covered by GCFA certification.
  • Malware reverse engineering at the binary/assembly level covered by GREM certification.
  • Network infrastructure administration, router/switch configuration, and network design that do not directly support forensic analysis.
  • Cryptographic algorithm internals and key exchange mathematics beyond practical recognition of cipher suites and their security implications.
  • Mobile device forensics and cloud-native forensics covered by separate GIAC certifications (GASF, GCLD).

Official Exam Page

Learn more at GIAC Certifications

Visit

GNFA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.