Masterclass: Forensics and Incident Handling [FOR]
Forensics and Incident Handling are constantly evolving and important issues in cybersecurity. The course provides the skills needed to find, collect and store data correctly, analyze it and learn as much about the incident as possible. Today, it is important to be constantly improved and updated so that you are not overtaken by the hackers.
This is an intense hands-on course covering the general approach to forensics and incident handling, network forensics, important aspects of Windows internals, memory and storage analysis, detecting indicators of compromise and a proper way of reporting.
Participant profile
IT professionals, Forensics and Incident Handling Specialists, Security Consultants, Enterprise Administrators, Infrastructure Architects, Security Professionals, Systems Engineers, Network Administrators and other people responsible for implementing network and perimeter security.
Content
- Types and Examples of Cybersecurity Incidents
- Signs of an Incident
- Incident Prioritization
- Incident Response and Handling Steps
- Procedures and Preparation
- Industry Best Practices
- Detecting Malware via DNS logs
- Configuration Change Management
- Leveraging Proxy and Firewall Data
- Monitoring Critical Windows Events
- Detecting Malware via Windows Event Logs
- Types and approaches to network monitoring
- Network evidence acquisition
- Network protocols and Logs
- LAB: Detecting Data Thievery
- LAB: Detecting WebShells
- Gathering data from network security appliances
- Detecting intrusion patterns and attack indicators
- Data correlation
- Hunting malware in network traffic
- Encoding and Encryption
- Introduction to Windows Internals
- Fooling Windows Task Manager
- Processes and threads
- PID and TID
- Information gathering from the running operating system
- Obtaining Volatile Data
- A deep dive to Autoruns
- Effective permissions auditing
- PowerShell get NTFS permissions
- Obtaining permissions information with AccessChck
- Unnecessary and malicious services
- Detecting unnecessary services with PowerShell
- Introduction to memory dumping and analysis
- Creating memory dump - Belkasoft RAM Capturer and DumpIt
- Utilizing Volatility to analyze Windows memory image
- Analyzing Stuxnet memory dump with Volatility
- Automatic memory analysis with Volatile
- Yara rules language
- Malware detonation
- Introduction to reverse engineering
- Introduction to storage acquisition and analysis
- Drive Acquisition
- Mounting Forensic Disk Images
- Introduction to NTFS File System
- Windows File System Analysis
- Autopsy with other filesystems
- Building timelines
- This module covers the restrictions and important details about digital evidence gathering. Moreover, a proper structure of digital evidence report will be introduced.
Examples of tools, software and examples used during the course
- Belkasoft RAM Capturer
- Wireshark
- Volatility
- The Sleuth Kit® (TSK)
- Autopsy
- DumpIt
- DC3DD
- Arsenal Image Mounter
- Reclaim Me
- ReFS Images
- SysInternals Toolkit -
- ShadowCopyView
- RegRipper
- Rifiuti2
- Registry Explorer/RECmd
- FullEventLogView
- EVTXtract
- Loki IOC Scanner
- Yara
- LECmd
- LinkParser
- PECmd
- SkypeLogViewer
- SQLiteBrowser
- NetWork Miner
- StuxNet Memory Dump
Materiale
Author’s unique tools, virtual lab environment, hands-on exercises, presentation slides with notes.
CPE Points (Continuing Professional Education)
It will be possible to earn CPE points after completion this course.
Form
Virtual with live trainer.
Before you participate on a virtual course, we always try to arrange a 15 - 20 minute test session with the participants a week before to make sure that everyone is capable to attend the Masterclass. Below you will find the technical requirements for connecting to the virtual training:
- A computer with a stable internet connection (preferably Windows or Mac OS)
- Permissions for outgoing RDP connections to external servers (to our lab environment) – port 3389
- A headset (headphones + microphone)
- Webcam (built-in or plug-in)
- Additional monitor will be helpful but it’s not required
Instructor
Paula Januszkiewicz is a word-renowned Security Expert. Paula loves to perform Penetration Tests, IT Security Audits, and after all she says: ‘harden’em all’! Enterprise Security MVP and trainer (MCT) and Microsoft Security Trusted Advisor
Do you have any course related questions, please contact
- Malene Kjærsgaard
- Konsulent
- +45 72202523