---
url: "https://xcademia.com/courses/xcademia-network-forensics-analyst"
title: Xcademia Network Forensics Analyst
description: "Earn XNFA through a 5-day network forensics programme. Wireshark, Zeek, JA3 fingerprinting, MITRE ATT&CK. GNFA alternative UK. Practitioner-assessed. No MCQs."
publishedAt: "2026-04-20T08:46:51.228374+00:00"
updatedAt: "2026-04-20T10:17:30.096332+00:00"
type: course
code: "CYB-0352"
level: Expert
duration_days: "5"
track: "Digital Forensics & Incident Response"
category: "Cybersecurity & Ethical Hacking"
credential_tier: tier3
price_gbp: "3595"
---

# Xcademia Network Forensics Analyst

> The XNFA Certification Programme is the practitioner standard for network forensics analysts who investigate cyber incidents through network traffic analysis, protocol dissection, C2 communication identification, and adversary campaign reconstruction from PCAP, Zeek logs, NetFlow, and proxy data. Assessed on Day 5 through a supervised network forensic investigation producing a professional findings report. No MCQs. No exam.

## Overview

Network traffic is the most honest witness in a cyber investigation. Attackers can clear logs, delete files, and wipe systems, but network flows, PCAP captures, and DNS queries often remain as evidence of what occurred, when, and through which systems. The analyst who can read this evidence fluently has a significant investigative advantage. XNFA is built for DFIR professionals, SOC analysts, and threat hunters who want to develop network forensics as a core specialism.

Across five instructor-led days, participants build capability from network protocol fundamentals through advanced traffic analysis with Wireshark, Zeek, and NetworkMiner, encrypted traffic analysis using JA3 and JA3S fingerprinting, DNS forensics, web proxy log analysis, NetFlow analysis, lateral movement and data exfiltration detection in network evidence, and network evidence timeline reconstruction for investigation. Every session uses real PCAP files from real incidents in a structured forensics workflow.

On Day 5, participants investigate a simulated breach through network evidence only: PCAPs, DNS logs, proxy logs, and NetFlow records. They reconstruct the attack, identify attacker infrastructure, map to MITRE ATT&CK, and produce a professional network forensics report. A senior practitioner assesses methodology and report quality. XNFA certificate and Practitioner Assessment Report issued together.

## Prerequisites

- Minimum 12 months in a SOC, DFIR, network security, or IT infrastructure role
- Working knowledge of TCP/IP networking and basic familiarity with Wireshark or equivalent packet analysis
- Basic understanding of common network protocols: HTTP, DNS, SMTP, and SMB

## What you will learn

- Conduct structured network traffic analysis using Wireshark, Zeek, and NetworkMiner to identify adversary activity in enterprise PCAP captures
- Analyse DNS, web proxy, and NetFlow data to reconstruct adversary campaigns and identify attacker infrastructure from multi-source network evidence
- Detect and analyse C2 communication patterns including beaconing, DNS tunnelling, and TLS-obscured traffic using JA3/JA3S fingerprinting
- Reconstruct multi-stage attack timelines from network evidence across PCAP, Zeek logs, NetFlow records, and proxy log sources
- Map network-layer adversary techniques to MITRE ATT&CK v14 for attribution and detection engineering
- Produce professional network forensics investigation reports aligned to ACPO digital evidence guidelines and regulatory evidence requirements

## Skills you will gain

- Wireshark advanced analysis
- Zeek log analysis and scripting
- C2 beaconing detection
- DNS forensics
- JA3/JA3S encrypted traffic fingerprinting
- NetFlow analysis (SiLK)
- Lateral movement detection in network evidence
- Data exfiltration detection
- NetworkMiner session reconstruction
- MITRE ATT&CK network technique mapping
- Network timeline construction (Plaso)
- Network forensics report writing

## Career progression

- Network Forensics Analyst
- DFIR Specialist
- SOC L2/L3 Analyst
- Threat Hunter
- Network Security Engineer
- Incident Responder

## Framework alignment

- MITRE ATT&CK v14
- NIST SP 800-61
- ISO 27035
- ACPO Digital Evidence Guidelines
- Zeek Project
- JA3/JA3S Project
- SiLK (System for Internet-Level Knowledge)
- RFC Standards

## Curriculum

1. **Module 1**
2. **Module 2**
3. **Module 3**

## Exam & certification

You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.

## Delivery options

- **Live Online** — Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
- **Onsite Training** — We come to you. Training delivered at your workplace for teams of 6 or more.
- **Venue-Based** — Classroom training at a professional venue. Ideal for focused, immersive learning.
- **Blended** — Combine online and in-person learning for maximum flexibility and impact.

## Frequently asked questions

**How does XNFA compare to SANS FOR572 (GNFA)?**

SANS FOR572 costs approximately $9,779 total. XNFA is 5 instructor-led days ending in a supervised network forensics investigation on Day 5. Participants analyse real PCAP captures and multi-source log data to reconstruct a simulated breach, producing a professional findings report. Less than a third of the GNFA total cost. The Practitioner Assessment Report documents investigation methodology and report quality.

**What PCAP sizes will participants work with?**

PCAPs range from a few MB for targeted incident captures to multi-GB captures representing enterprise-scale traffic from multi-day incidents. Large PCAP processing methodology using tshark and argus is covered alongside Wireshark for targeted analysis. Day 5 investigation uses realistic multi-source evidence including PCAP, Zeek logs, NetFlow, and proxy logs.

**Does XNFA cover cloud traffic analysis?**

Yes. Day 4 covers cloud storage exfiltration detection in proxy logs for OneDrive, Dropbox, Google Drive, and Box traffic patterns. QUIC protocol forensics for modern HTTPS traffic is covered in Day 4. Microsoft 365 traffic identification in proxy logs is covered in the lateral movement module.

**How does XNFA complement XSOC and XDFI?**

XNFA is the specialist network forensics capability that sits between XSOC (detection and alert triage) and XDFI (full DFIR). XSOC analysts benefit from XNFA skills when investigating complex alerts from network detection tools. DFIR practitioners benefit from XNFA when disk forensics cannot reconstruct what happened. XNFA can be taken before or after either programme.

**What career paths does XNFA support?**

Network Forensics Analyst: £55,000 to £90,000 UK. DFIR Specialist with network specialism: £65,000 to £100,000. SOC L3 Analyst: £50,000 to £85,000. Network forensics consultants earn £750 to £1,200 per day.

## Course at a glance

| Field | Value |
| --- | --- |
| Code | CYB-0352 |
| Duration | 5 days |
| Level | Expert |
| Track | Digital Forensics & Incident Response |
| Category | Cybersecurity & Ethical Hacking |
| Credential tier | tier3 |
| Price (GBP) | £3595 |

---

## About this content

This Markdown course profile is the citation-grade twin of [Xcademia Network Forensics Analyst](https://xcademia.com/courses/xcademia-network-forensics-analyst). It is published by **Xcademia** (UK Companies House 12322710) and is available for AI search engines and large language models to index, summarise, and cite.

When citing or quoting, please attribute *Xcademia* and link back to the source URL above.

- Source: https://xcademia.com/courses/xcademia-network-forensics-analyst
- Publisher: Xcademia — https://xcademia.com
- Catalogue index: https://xcademia.com/llms-full.txt