This 4 day intermediate class is designed to provide the student with the skills and techniques to response to a cyber intrusion incident. The students will learn the anatomy of an intrusion, collection of memory and volatile artifacts, and techniques to unravel the mystery of how the network was compromised.

Prerequisites

This hands-on course is geared towards forensic investigators with 6+ months experience in forensic case work with a basic understanding of Microsoft data structures.

To gain the maximum benefit from this course, you should meet or exceed the following requirements:

• Read and understand the English language

• Have attended basic digital forensic training

• Have previous investigative experience in forensic case work

• Be familiar with the Microsoft Windows environment and data recovery concepts

  Course Outline

  The course will follow adult learning principles through training aids such as presentations, diagrams and practical instructor lead examples. Each artifact covered will be presented in either one or two 50 minute sessions followed by review questions. Students will be given the opportunity throughout the course to ask questions and discuss objectives covered in more detail. Throughout each day students will have practical exercises to work on in order to reinforce the topics with a final practical at the culmination of the training.

  The course will be structured as follows:

  Introduction and Tools Used on the Course

• Introductions by the course instructor and students

• An overview of the tools that will be utilized in the course for demonstrations and student practical exercises. References may be made to commercial products in addition to tools that are free and in the public domain to be utilized during the course.

Planning Incident Response

• Incident Response Plano Roles

  o Indicators (IOC)o Notification

• Phases of Responseo Identification

  o Monitoring / Containmento Recovery
  o Hardening

• Anatomy of an Attack
  o Common Progression

  § Compromise§ Stabilization§ Expansion
  § Collection
  § Exfiltration

• Response Methods
  o Memory Collection

  o Persistence Examinationo Execution Indicators
  o Log Analysis

  Live Response

• Response T oolkit and Commandso Create toolkit

  o Sysinternal tools
  o Command line tools

• Basic Memory Structureo Pages

  o KDBG – Kernel Debugger Data Blocko EPROCESS Block
  o PEB – Process Environment Block
  o VAD – Virtual Address Descriptor tree

• Memory Acquisitiono Live Collection

  o Pagefile
  o Hiberfil
  o Crash Dumps
  o Virtual Machine Memory

• Introduction to Volatilityo Profiles

  o Plugins

• Volatility – Malicious Processeso Pslist

  o Psscan
  o Pstree
  o Pstotal
  o Malprocfindo Procdumpo Dlllist

  o Dlldump

• Volatility – Memory Objectso Handles

  o Moduleso Moddump

  Execution Identification / Log Analysis

• Windows Artifactso Prefetch

  o UserAssist
  o Shimcache
  o Amcache
  o Link Files
  o Recents Foldero SRUM

  o Volume Shadow Copies

• Log File Analysis
  o Lateral Movement

  o Login Events
  o RDP logs
  o Account creation

• Other Execution Identifierso Task Scheduler

o Serviceso PSEXEC

Advanced Memory / Persistence

• Volatility – Network Artifactso Netscan

  o Malfind

• Volatility – Command line invocationo Cmdscan

  o Consoles

• Volatility – Fileso Filescan

  o Dumpfiles

• Persistence Examinations

• Introduction to Wiresharko PCAP

  o TCP/IP
  o Beaconing activity