Certified Network Forensic Analysis Manager

Certified Network Forensic Analysis Manager

The Certified Network Forensic Analysis Manager certification course was originally developed for the U.S. government, and has now been made available to city, county, and state law enforcement agencies.  Civilian personnel outside the law enforcement community are also authorized to attend on a case-by-case basis.

This comprehensive course brings incident response and network forensic core competencies to advanced levels by presenting students with 12 detailed learning objectives. Students will be provided with both experiential knowledge and practical skills that simulate real-world scenarios, investigations, and recovery of evidentiary data in systems and networks.  With a specific focus on the centralizing and investigating of logging systems and network devices, students will cover topics such as: Incident Response Management; Live Data Collection; Analysis Methodology; Malware Triage; and, practical lab exercises utilizing the Wireshark packet capturing tool for network investigations.

Course Outline and Learning Objectives

01) Preparing for Incidents / Forensic Investigations
02) Incident Response Management
03) Pre-Incident Preparation
04) Initiating Incident / Forensic Investigations
05) Initial Development of Leads
06) Principles of Live Data Collection

07) Principles of Network Evidence
08) Enterprise Services and Topology
09) Forensic Analysis Methodology
10) Static / Dynamic Malware Triage
11) Incident Remediation Methodologies
12) Wireshark Labs: Packet Capture Analysis

Wireshark Lab Exercises

01) Virtual Machine Setup in Kali Linux
02) The Wireshark User Interface
03) Customizing Wireshark Settings
04) Applying Capture Filters
05) Applying Display Filters

06) Color Rules and Packet Export
07) Creating Tables and Graphs
08) File and Object Reassembly
09) Adding Comments to Trace Files
10) Command-Line Capture Tools

Course Prerequisites

Students should possess a certification and/or work experience in digital forensics, and 24 months of professional experience in Information Security or Information Technology (with a focus in security).

Laptop with Lab Software Included

Phase2 Advantage: Certified Network Forensic Analysis Manager

All students attending the Certified Network Forensic Analysis Manager course will be provided with a Dell laptop loaded with all software required for the practical labs.  The software includes:

1) Oracle Virtual Box
2) Kali Linux O/S
3) Wireshark Packet Capturing Tool
4) Kali Tools Suite
5) Original ISO’s for VM Set-Up / Restoration

Students are encouraged to continue their course studies after the course completion.  A laptop carrying case will be provided for convenient transport to the students’ home location.

Course Materials

Course Textbook
Lab Textbook
Lecture / Lab Workbook
Dell Computer with Lab Software

Exam Prep Guide
Course Certification Certificate
CPE Completion Certificate
Certification Exam

Certification Exam and Daily Lunches Included in Course Fee.

Additional Information







5 Days


40 CPE Credits


Ask About Our Training Discounts

Phase2 Advantage offers discounts to non-profit organizations, federal agencies, law enforcement personnel, and the military affiliate community. We also offer group discounts. Email training@phase2advantage.com to see if your organization qualifies for one or more of our discount programs.

The Certified Network Forensic Analysis Manager course is a component of the career progression track that supports the following Categories, Specialty Areas and Work Roles as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework:

Exploitation Analyst

Cyber Crime Investigator

Law Enforcement / Counterintelligence Forensics Analyst

All Source – Collection Manager

Cyber Intel Planner

Cyber Defense Forensics Analyst

Average Yearly Salary:

Certification Examination

Phase2 Advantage Certification Exam

Upon completion of this course, students will be prepared to sit for the Network Forensic Analysis Manager certification examination. A proctored examination will be offered at the conclusion of the final training day consisting of True/False, Multiple Choice, and Fill in the Blank questions.

Students will have two hours to complete a computer-based examination consisting of 100 questions. A score of 70% or higher is required to earn the certification. Upon successful completion of the exam, students will receive a hardcopy of their certification and a proctor validation document from the course instructor. Students will also receive a 40-hour CPE Certificate regardless of their exam score.

The examination is “open book.” However, students will only be allowed to use reference materials and notes presented during the course. Proctored examinations and proctor validation documents are only available for courses taken in a physical classroom environment.

View the Phase2 listing on