Network forensics Playbook for Teams
RCCE students will learn network forensic capture and analysis including full packet capture, network flow analysis, protocol reconstruction, network-based artifact extraction, and network timeline construction. RCCE students will learn to deploy network capture infrastructure for forensic purposes, collect full packet captures and network flow data during incident investigations, reconstruct network sessions and extract transferred files, analyze DNS queries, HTTP transactions, and encrypted traffic metadata, detect data exfiltration patterns through network forensics, build network-based attack timelines, and produce network forensic reports that complement host-based investigation findings. This team-oriented course builds collaborative workflows and organizational playbooks for security operations. At an expert level, RCCE students will learn to create and implement standardized procedures that enable consistent performance across team members and shifts. Students develop the documentation, communication, and coordination skills needed for effective team-based security operations.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Network forensics Playbook for Teams
- Execute hands-on tasks for network forensics
- Execute hands-on tasks for playbook for teams
- Explain Course Overview & Learning Objectives fundamentals
- Execute hands-on tasks for network forensics scope — covering Full packet capture and flow analysis, Protocol reconstruction techniques.
- Execute hands-on tasks for team playbook focus — covering Standardized forensic procedures, Collaborative investigation workflows.
- Execute hands-on tasks for target competency — covering Deploy capture infrastructure, Reconstruct sessions from PCAP.
- Explain DFIR foundations (Module 7) fundamentals — covering TCP/IP protocol fundamentals.
- Execute hands-on tasks for network forensics fundamentals
- Execute hands-on tasks for network evidence types & sources
- Execute hands-on tasks for full packet capture — covering Complete payload data, PCAP/PCAPng format.
- Execute hands-on tasks for flow records — covering NetFlow/sFlow/IPFIX, Metadata without payload.
- Execute hands-on tasks for netflow/sflow/ipfix — covering Metadata without payload.
| Module 01 | Network Forensics |
| Module 02 | Playbook for Teams |
| Module 03 | Course Overview & Learning Objectives |
| Module 04 | Network Forensics Scope |
| Module 05 | Team Playbook Focus |
| Module 06 | Target Competency |
| Module 07 | DFIR foundations (Module 7) |
| Module 08 | Network Forensics Fundamentals |
| Module 09 | Network Evidence Types & Sources |
| Module 10 | Full Packet Capture |
| Module 11 | Flow Records |
| Module 12 | NetFlow/sFlow/IPFIX |
| Module 13 | Log Data |
| Module 14 | Network Metadata |
All hands-on labs run on Rocheston Rose X OS. Students practice network forensics playbook for teams by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for network forensics
- Lab 2: Execute hands-on tasks for playbook for teams
- Lab 3: Explain Course Overview & Learning Objectives fundamentals
- Lab 4: Execute hands-on tasks for network forensics scope
- Lab 5: Execute hands-on tasks for team playbook focus
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Network forensics Playbook for Teams, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI