Twitter Linked In
 

Sessions:
*Known Network Intrusion Forensic Examinations
Spyder Forensics
Sorry there are currently no sessions scheduled for *Known Network Intrusion Forensic Examinations.
Please let us know you are interested in this course.

Fulcrum Training Vendors
 
Training
 
*Known Network Intrusion Forensic Examinations

This 4 day intermediate class is designed to provide the student with the skills and techniques to response to a cyber intrusion incident. The students will learn the anatomy of an intrusion, collection of memory and volatile artifacts, and techniques to unravel the mystery of how the network was compromised.

Prerequisites

This hands-on course is geared towards forensic investigators with 6+ months experience in forensic case work with a basic understanding of Microsoft data structures.

To gain the maximum benefit from this course, you should meet or exceed the following requirements:

  • Read and understand the English language

  • Have attended basic digital forensic training

  • Have previous investigative experience in forensic case work

  • Be familiar with the Microsoft Windows environment and data recovery concepts

    Course Outline

    The course will follow adult learning principles through training aids such as presentations, diagrams and practical instructor lead examples. Each artifact covered will be presented in either one or two 50 minute sessions followed by review questions. Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in more detail. Throughout each day students will have practical exercises to work on in order to reinforce the topics with a final practical at the culmination of the training.

    The course will be structured as follows:

    Introduction and Tools Used on the Course

  • Introductions by the course instructor and students

  • An overview of the tools that will be utilized in the course for demonstrations and student practical exercises. References may be made to commercial products in addition to tools that are free and in the public domain to be utilized during the course.

Planning Incident Response

  • Incident Response PlanRoles

    Indicators (IOC)Notification

  • Phases of ResponseIdentification

    Monitoring / ContainmentRecovery
    Hardening

  • Anatomy of an Attack
    Common Progression

     Compromise Stabilization Expansion
     Collection
     Exfiltration

  • Response Methods
    Memory Collection

    Persistence ExaminationExecution Indicators
    Log Analysis

    Live Response

  • Response T oolkit and CommandsCreate toolkit

    Sysinternal tools
    Command line tools

  • Basic Memory StructurePages

    KDBG Kernel Debugger Data BlockEPROCESS Block
    PEB Process Environment Block
    VAD Virtual Address Descriptor tree

  • Memory AcquisitionLive Collection

    Pagefile
    Hiberfil
    Crash Dumps
    Virtual Machine Memory

  • Introduction to VolatilityProfiles

    Plugins

  • Volatility Malicious ProcessesPslist

    Psscan
    Pstree
    Pstotal
    MalprocfindProcdumpDlllist

    Dlldump

  • Volatility Memory ObjectsHandles

    ModulesModdump

    Execution Identification / Log Analysis

  • Windows ArtifactsPrefetch

    UserAssist
    Shimcache
    Amcache
    Link Files
    Recents FolderSRUM

    Volume Shadow Copies

  • Log File Analysis
    Lateral Movement

    Login Events
    RDP logs
    Account creation

 Other Execution IdentifiersTask Scheduler

ServicesPSEXEC

Advanced Memory / Persistence

  • Volatility Network ArtifactsNetscan

    Malfind

  • Volatility Command line invocationCmdscan

    Consoles

  • Volatility FilesFilescan

    Dumpfiles

  • Persistence Examinations

  • Introduction to WiresharkPCAP

    TCP/IP
    Beaconing activity

Sorry - there are no sessions available to book.
 
Contact us
Australia:+61 (0)2 8012 9810
Singapore:+65 9297 1289
Customer Service:
Technical Support:
Training Bookings:
 
Register For the Fulcrum Newsletter HERE

© Fulcrum Management 2012
Name
Email
Organisation
Phone
Verification Code:
Name
Email
Organisation
Phone
Verification Code: