XNFA: Xcademia Network Forensics Analyst

Network Forensics and Analysis: The Practitioner Certification for Incident Investigators

When an attacker compromises a system, they can delete log files, overwrite artefacts, and modify timestamps on the endpoint. What they cannot delete is the network record of their activity. The packets that carried their lateral movement commands, their data exfiltration, their C2 callbacks all of these traversed network infrastructure that records traffic in ways the attacker cannot retroactively modify. 

Network forensics is the discipline of reconstructing attacker activity from network evidence: packet captures, flow data, DNS logs, proxy logs, and firewall records. It is the most reliable forensic record of a breach. It is also one of the least developed skills in the incident response profession. Most DFIR practitioners are competent in endpoint forensics. Far fewer can conduct a full network forensic analysis from PCAP to incident timeline. 

XNFA is Xcademia's Network Forensics and Analysis practitioner certification. Five instructor-led days. Practitioner-assessed. Built for DFIR professionals who need to read what the network saw.

The attacker who covers their tracks on the endpoint is the one who assumes the defender will look there. The defender who knows how to read network evidence finds what the attacker assumed was invisible. XNFA builds the capability to look where the attacker did not expect anyone to be looking. 

Why Network Forensics Is an Underdeveloped Skill  

The DFIR profession has excellent endpoint forensics capability. CHFI, FOR500, and XDFI all develop strong Windows and Linux forensic analysis skills. The network forensics equivalent of the ability to reconstruct a full incident timeline from packet captures, flow data, and protocol analysis is developed by far fewer practitioners. 

The reasons are practical. Packet capture analysis requires familiarity with network protocols at a depth that many security professionals have not developed. Wireshark is the tool most practitioners know by name, but few can use beyond basic filtering. NetFlow analysis, DNS forensics, TLS decryption for inspection, and the reconstruction of attacker TTPs from network evidence require specific training that most security programmes do not provide at depth. 

The result: incident response teams that reconstruct attacker activity from endpoint artefacts alone, missing the lateral movement evidence in flow data, the exfiltration volume in traffic logs, and the C2 communication patterns in DNS records that the network recorded faithfully throughout the incident. 

The incident investigation that relies only on endpoint evidence is an incomplete investigation. Attackers know how to clean up after themselves on endpoints. The network does not give them the same opportunity. XNFA builds the skill to read what the network preserved. 

What XNFA Covers Across Five Days 

Day 1: Network Protocols and Traffic Fundamentals 

• TCP/IP deep dive for forensics: Understanding the protocol-level information in packet captures that reveals attacker behaviour rather than just connectivity 

• DNS forensics: DNS as an exfiltration channel, DNS tunnelling detection, domain generation algorithm (DGA) identification, passive DNS analysis 

• HTTP/HTTPS forensics: Reconstructing web sessions from packet captures, identifying C2 over HTTP/S, certificate analysis for TLS inspection 

• Wireshark professional use: Display filters, capture filters, protocol dissectors, stream following, and export functions for forensic analysis 

• Lab: Analyse a PCAP file containing a web-based exploitation scenario. Identify the initial compromise, the payload delivery, and the attacker's initial commands. 

Day 2: Network Flow Analysis and SIEM Integration 

• NetFlow and IPFIX: Reading flow data, identifying lateral movement patterns, detecting data exfiltration by volume and destination profile 

• Firewall and proxy log forensics: Reconstructing attacker activity from log data when full PCAP is not available 

• SIEM log correlation for network evidence: Writing detection queries across network log sources in Splunk and Microsoft Sentinel 

• Baseline and anomaly identification: How to establish a normal traffic baseline and identify deviations that indicate attacker activity 

• Lab: Using flow data and firewall logs, reconstruct the lateral movement path of an attacker across a simulated corporate network from initial access to data exfiltration 

Day 3: Malware Communication Analysis 

• C2 communication patterns: Identifying beaconing behaviour, jitter analysis, common C2 frameworks (Cobalt Strike, Metasploit, Sliver) in network traffic 

• Encrypted traffic analysis: Identifying malicious patterns in TLS-encrypted traffic without decryption — certificate anomalies, JA3 fingerprinting, JARM scoring 

• DNS over HTTPS and other evasion techniques: How attackers use encrypted DNS and other evasion methods, and how to detect them 

• Threat intelligence correlation: Matching observed network indicators against threat intelligence sources to attribute activity 

• Lab: Analyse a PCAP containing Cobalt Strike C2 traffic. Identify the beaconing pattern, extract IOCs, and produce a threat intelligence report on the observed activity. 

Day 4: Incident Reconstruction and Evidence Preservation 

• Building an incident timeline from network evidence: Combining endpoint and network forensic data into a coherent, chronological incident narrative 

• Evidence preservation for network data: Legal and forensic requirements for network evidence preservation, chain of custody for PCAP files 

• Cloud network forensics: Reconstructing activity from VPC flow logs, cloud WAF logs, and cloud-native network monitoring across AWS, Azure, and GCP 

• Exfiltration quantification: Calculating the volume and nature of data exfiltrated from network evidence for breach notification and regulatory reporting purposes 

Day 5: Reporting and Capstone 

• Network forensic reporting: Translating technical network evidence into executive and legal-quality incident reports 

• Expert witness considerations: The standards for network forensic evidence in legal and regulatory proceedings 

• Capstone: A full network forensic investigation of a realistic enterprise incident. Candidates receive PCAP files, flow data, and log extracts covering a multi-stage attack from initial access through lateral movement to exfiltration. They must reconstruct the full incident timeline, identify all affected systems, quantify the exfiltration, and produce an investigation report. Assessed by a senior Xcademia DFIR practitioner. Verifiable at xcademia.com/verify. 

The XNFA capstone is the investigation that matters: a real attacker's trail in real network evidence. Not a multiple choice test about what the attacker might have done. The actual packets. The actual flow data. The actual DNS records. The practitioner who can reconstruct that trail is the one organisations call when the endpoint evidence has been cleaned up. 

Who Needs XNFA 

• DFIR analysts who are strong in endpoint forensics and want to add network forensic capability 

• SOC analysts moving into incident response who need the network investigation skills that SOC training typically does not develop at depth 

• Threat hunters who use network data as a primary hunting surface 

• Security architects who need to understand what network forensic evidence their architecture preserves and what it misses 

• Managed security service providers building incident response capability for their client base

XNFA built for network forensic investigators:

XNFA: five instructor-led days covering TCP/IP forensics, DNS analysis, flow data reconstruction, malware communication patterns, cloud network forensics, and a full incident reconstruction capstone. Practitioner-assessed. No MCQ. No renewal. The network forensics credential for DFIR professionals. Verifiable at xcademia.com/verify.