Network Forensics

Course Number: 14-823

Department: Information Networking Institute

Location: Pittsburgh

Units: 12

Semester Offered: Fall

This course introduces concepts and techniques essential for studying network-based evidence applicable to legal investigations. Students will become familiar with a wide range of networking devices, techniques for capturing and analyzing network data, and with the practice of solid forensic methodologies to prepare and protect network based digital evidence. Students will be required to bring their laptops to each class, as they will need to access exercise materials online, use virtual machines in a hypervisor, and answer online quizzes. 

Class format

Lecture and project-based

Home department


Target audience

INI students

Background required

Students must have taken 14-761. We expect familiarity with TCP/IP networking. 

Learning objectives

  • Understand forensic methodologies
  • Identify network based forensic evidence sources
  • Understand basic administration of network devices
  • Utilize common packet and protocol analysis tools
  • Capture and analyze wired and wireless network traffic
  • Capture and analyze network flow data
  • Create a timeline of user activity from network-based evidence
  • Understand techniques used by attackers to evade detection
  • Build a network to demonstrate the detection of an attack by using network forensic tools 

Faculty and instructors who have taught this course in the past

Gabriel Somlo, Adam Welles