NetWitness Community

DanielSpier

This video covers many topics related to HTTP and TLS investigation, particularly in regards to NetWitness metadata and Wireshark fields. During the course of an investigation it’s important to have as much context as possible around typical behavior and false positive or false negative scenarios. This is especially true in use case development to ensure that coverage is maximized and that blind spots are minimized and understood.

Timestamps

HTTP Basics: 01:06
Investigation Mindset: 05:59
RFC Violations: 08:14
Unusual Behavior: 19:27
HTTPS: 25:16
HTTPS Meta: 29:12
Future Developments: 33:16
HTTP Versions: 41:15
Summary: 47:14

Time	Link	Description
1:14	https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP	Mozilla- Basics of HTTP
1:14	https://unit42.paloaltonetworks.com/tag/wireshark/	Unit 42- Wireshark Tutorials
1:14	https://portswigger.net/web-security	PortSwigger- Web Security Academy
5:20	https://developer.mozilla.org/en-US/docs/Web/HTTP/Resources_and_specifications	HTTP RFC Information
26:46	https://github.com/corelight/community-id-spec	Corelight- Community ID
33:52	https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/	Cloudflare- What Happens in a TLS Handshake
36:42	https://blog.cloudflare.com/encrypted-client-hello/	Cloudflare- Encrypted Client Hello
49:09	https://community.netwitness.com/t5/netwitness-community-blog/bg-p/netwitness-blog	NetWitness- Community Blogs
49:09	https://unit42.paloaltonetworks.com/	Palo Alto Unit 42
49:09	https://blog.securityonion.net/	Security Onion Blog
49:09	https://portswigger.net/daily-swig	Port Swigger News (inactive but a good reference)
49:09	https://blog.talosintelligence.com/	Cisco Talos Blog

NetWitness Community

Advanced HTTP and TLS Concepts (Video)