We begin with several fundamental CS concepts:
binary network protocols,
and back engineering (reverse engineering/cleanroom design).
We also have an intense but occasional focus on mathematics and information theory.
People who are not deep into mathematics and computer science will still benefit from this class,
but those who have a passion for theoretical CS, information theory, or mathematics,
will gain the most.
The class is presented as a series of technical challenges,
each teaching a concept by allowing students to invent different approaches and try them out,
seeing which work well and which do not.
Challenges build on each other, until,
by the final challenge,
students are writing custom binary protocol decoder software from scratch.
Network Archaeology is a self-paced lab class, with intermittent instructor
lectures. Some participants may find the first dozen or so labs easy: they
are encouraged to proceed through as quickly as they like. The instructors
lead occasional “how-to” lectures, starting with the first lab, eventually
bringing the class to the same point. Between lectures, instructors traverse
the room helping people with labs.
This class is taught using the Linux command line.
The instructor wil use
command-line tools, to create increasingly powerful tools, but participants
can make decent progress using Wireshark (local install) and Cyber Chef
Each lab exercise either introduces new concepts or builds on previously
presented concepts. Very few people make it through every exercise, and
there is no expectation that anyone will "finish" in two days. Many Network
Archaeology attendees come back to Cyber Fire to take this class a second or
even third time.
Network Archaeology teaches students how to approach unknown data
that no existing tool can handle.
People expecting to walk away with a recipe book will be disappointed.
Our goal is for you to gain insight about how network protocols work,
how encryption works, and what common techniques can be used to "break"
Network Archaeology is broadly interesting to anyone who wants a better understanding
of the process of network packet forensic techniques. Even if you don't
intend to engage in this activity in your job, going through the
instructor-led exercises will provide insight into challenges facing your
You will need a computer with a modern web browser,
and a Linux command line. We recommend Ubuntu, either as your native OS,
or in a virtual machine.
You should have the following packages pre-installed:
apt install build-essential
yum groupinstall 'Development Tools'
We will not be able to help anyone configure their computer,
so please arrive with a properly set up machine.
If you really know what you're doing,
you can complete this class with MacOS or Windows.
Be prepared to figure out your OS quirks on your own, however.
Windows users should be prepared to write a lot of code,
as our command-line recipes won't work at all in Windows.