About the course
The Windows forensics course consists of the recorded video lectures and practical sessions with a trainer. You will receive lectures for self-study 2 weeks prior to the course beginning, and will be able to consolidate knowledge during the practical sessions
There is a growing demand among companies worldwide to understand how security incidents occur so that they can prevent them from harming their businesses. Yet with malicious activity showing no signs of slowing down in neither volume nor frequency, many incidents go unnoticed or fail to be investigated properly. This means that organizations often become repeat victims of compromise, suffering financial and reputational losses along the way.
The aftermath of a cyberattack can be devastating, but a thorough and adequate investigation can guarantee that a company never becomes a repeat victim. That’s what we cover in the course.
This five-day intensive course gives an in-depth grasp of the three core elements of Windows DFIR: acquisition methods, memory forensics, and host-based forensics for incident response.
Key topics covered:
- Digital forensics for incident response
- Use of CTI during incident response
- Acquisition of digital evidence
- Forensic image creation
- Host artifacts
- Memory dump creation
- Memory artifacts
- Alternative sources of volatile data
Skills acquired:
- Understanding data acquisition methods
- Using memory forensics and host-based forensics for incident response needs
- Creating and analyzing forensic images and memory dumps
- Reconstructing TTPs used by attackers
Target participants:
- Information security specialists
- Technical specialists with experience in IS
- Incident responders
Requirements:
- Skills and experience in Windows administration
- A basic understanding of file systems, cyberattack processes, and the principles of malware operation
Course program
Day 1
The practical part of the training begins with a discussion on the CTI-driven approach. We explore how threat intelligence can be applied in incident response and discuss the advantages of the approach. Next we move on to data collection. Participants practice creating forensic images and become familiar with the process of analyzing them. Most of the first day is devoted to analyzing host-based artifacts, in particular NTFS file system metafiles and core system files.
Day 2
Day two continues with the topic of host-based analysis. Attendees learn how to examine files associated with the most popular applications and databases and are taught how to work with Windows Registry and event logs. At the end of the day we cover the analysis of suspicious documents and scripts, and participants analyze malicious files themselves.
Day 3
Day three begins with practice creating and analyzing memory dumps. Participants learn the basic techniques for investigating user activity. To reinforce the knowledge gained, attendees analyze a RAM dump on their own and identify traces of malicious user activity.
Day 4
Day four begins with techniques for finding malicious activity in memory dumps, as well as a review of the basic tactics and techniques used by malware. Another practical case study follows, after which the session moves on to explore alternative sources of volatile data. We cover how to collect and analyze hibernation files, page files, and crash dumps.
Day 5
On the last day participants work independently. They are given a forensic image to analyze and process artifacts from. They are also given two sets of questions (basic and advanced) to test their understanding of an incident. As part of the test they also search for additional artifacts to capture the incident landscape and map it to the MITRE ATT&CK® matrix. The test ends with a discussion about the results and findings, and a demonstration of the proper techniques and best practices.
