Masterclass: Forensics and Incident Handling – EY Academy of Business

Masterclass: Forensics and Incident Handling

Forensics and Incident Handling are constantly evolving and crucial topics in the area of cybersecurity. In order to stay on top of the attackers, the knowledge of Individuals and Teams responsible for collecting digital evidence and handling the incidents has to be constantly enhanced and updated.

This advanced training provides skills necessary to find, collect and preserve data in a correct manner, analyze it and get to know as much about the incident as possible.

This is an intense hands-on course covering the general approach to forensics and incident handling, network forensics, important aspects of Windows internals, memory and storage analysis, detecting indicators of compromise and a proper way of reporting.

IT professionals, Forensics and Incident Handling Specialists, Security Consultants, Enterprise Administrators, Infrastructure Architects, Security Professionals, Systems Engineers, Network Administrators and other people responsible for implementing network and perimeter security.

This advanced training provides skills necessary to find, collect and preserve data in a correct manner, analyze it and get to know as much about the incident as possible.

Participants have access to the author’s unique tools, virtual lab environment, hands-on exercises and presentation slides with notes.

Examples of tools, software and examples used during the course:

  • Belkasoft RAM Capturer
  • Wireshark
  • Volatility
  • The Sleuth Kit® (TSK)
  • Autopsy
  • DumpIt
  • DC3DD
  • Arsenal Image Mounter
  • Reclaim Me
  • ReFS Images
  • SysInternals Toolkit
  • ShadowCopyView
  • RegRipper
  • Rifiuti2
  • Registry Explorer/RECmd
  • FullEventLogView
  • EVTXtract
  • Loki IOC Scanner
  • Yara
  • LECmd
  • LinkParser
  • PECmd
  • SkypeLogViewer
  • SQLiteBrowser
  • NetWork Miner
  • StuxNet Memory Dump

Module 1: Introduction to Incident Handling

1. Types and Examples of Cybersecurity Incidents
2. Signs of an Incident
3. Incident Prioritization
4. Incident Response and Handling Steps
5. Procedures and Preparation

Module 2: Incident Response and Handling Steps

1. How to Identify an Incident
2. Handling Incidents Techniques
3. Incident Response Team Services
4. Defining the Relationship between Incident Response, Incident Handling, and Incident Management
5. Incident Response Best Practices
6. Incident Response Policy
7. Incident Response Plan Checklist
8. Incident Handling Preparation
9. Incident Prevention
10. Following the Containment Strategy to Stop Unauthorized Access
11. Eradication and Recovery
12. Detecting the Inappropriate Usage Incidents
13. Multiple Component Incidents
14. Containment Strategy to Stop Multiple Component Incidents

Module 3: Windows Internals

1. Introduction to Windows Internals
2. Fooling Windows Task Manager
3. Processes and threads
4. PID and TID
5. Information gathering from the running operating system
6. Obtaining Volatile Data
7. A deep dive into Autoruns
8. Effective permissions auditing
9. PowerShell gets NTFS permissions
10. Obtaining permissions information with AccessChck
11. Unnecessary and malicious services
12. Detecting unnecessary services with PowerShell

Module 4: Handling Malicious Code Incidents

1. Count of Malware Samples
2. Virus, Worms, Trojans and Spywares
3. Incident Handling Preparation
4. Incident Prevention
5. Detection of Malicious Code
6. Containment Strategy
7. Evidence Gathering and Handling
8. Eradication and Recovery

Module 5: Network Forensics and Monitoring

1. Types and approaches to network monitoring
2. Network evidence acquisition
3. Network protocols and Logs
4. LAB: Detecting Data Thievery
5. LAB: Detecting WebShells
6. Gathering data from network security appliances
7. Detecting intrusion patterns and attack indicators
8. Data correlation
9. Hunting malware in network traffic
10. Encoding and Encryption
11. Denial-of-Service Incidents
12. Distributed Denial-of-Service Attack
13. Detecting DoS Attack
14. Incident Handling Preparation for DoS
15. DoS Response and Preventing Strategies

Module 6: Securing Monitoring Operations and Evidence Gathering

1. Industry Best Practices
2. Objectives of Forensics Analysis
3. Role of Forensics Analysis in Incident Response
4. Forensic Readiness And Business Continuity
5. Types of Computer Forensics
6. Computer Forensic Investigator
7. Computer Forensics Process
8. Collecting Electronic Evidence
9. Challenging Aspects of Digital Evidence
10. Forensics in the Information System Life Cycle
11. Forensic Analysis Guidelines
12. Forensics Analysis Tools
13. Memory acquisition techniques

Module 7: Memory: Dumping and Analysis

1. Introduction to memory dumping and analysis
2. Creating memory dump – Belkasoft RAM Capturer and DumpIt
3. Utilizing Volatility to analyze Windows memory image
4. Analyzing Stuxnet memory dump with Volatility
5. Automatic memory analysis with Volatile

Module 8: Memory: Indicators of compromise

1. Yara rules language
2. Malware detonation
3. Introduction to reverse engineering

Module 9: Disk: Storage Acquisition and Analysis

1. Introduction to storage acquisition and analysis
2. Drive Acquisition
3. Mounting Forensic Disk Images
4. Virtual disk images
5. Signature vs. file carving
6. Introduction to NTFS File System
7. Windows File System Analysis
8. Autopsy with other filesystems
9. External device usage data extraction (USB usage etc.)
10. Reviving the account usage
11. Extracting data related to the recent use of application, file etc.
12. Recovering data after deleting partitions
13. Extracting deleted file and file-related information
14. Extracting data from file artifacts like $STANDARD_INFORMATION etc.
15. Password recovery
16. Extracting Windows Indexing Service data
17. Deep-dive into Automatic Destinations
18. Detailed analysis of Windows Prefetch
19. Extracting information about program execution (UserAssist, RecentApps, Shimcache, appcompatcache etc.)
20. Extracting information about browser usage (web browsing history, cache, cookies etc.)
21. Communicator apps data extraction
22. Extracting information about network activity
23. Building timelines

Module 10: Reporting – Digital Evidence

This module covers the restrictions and important details about digital evidence gathering. Moreover, a proper structure of the digital evidence report will be introduced.

Masterclass: Forensics and Incident Handling

Forensics and Incident Handling are constantly evolving and crucial topics in the area of cybersecurity. In order to stay on top of the attackers, the knowledge of Individuals and Teams responsible for collecting digital evidence and handling the incidents has to be constantly enhanced and updated.

This advanced training provides skills necessary to find, collect and preserve data in a correct manner, analyze it and get to know as much about the incident as possible.

This is an intense hands-on course covering the general approach to forensics and incident handling, network forensics, important aspects of Windows internals, memory and storage analysis, detecting indicators of compromise and a proper way of reporting.

For whom?

IT professionals, Forensics and Incident Handling Specialists, Security Consultants, Enterprise Administrators, Infrastructure Architects, Security Professionals, Systems Engineers, Network Administrators and other people responsible for implementing network and perimeter security.

Objectives and benefits

This advanced training provides skills necessary to find, collect and preserve data in a correct manner, analyze it and get to know as much about the incident as possible.

Participants have access to the author’s unique tools, virtual lab environment, hands-on exercises and presentation slides with notes.

Examples of tools, software and examples used during the course:

  • Belkasoft RAM Capturer
  • Wireshark
  • Volatility
  • The Sleuth Kit® (TSK)
  • Autopsy
  • DumpIt
  • DC3DD
  • Arsenal Image Mounter
  • Reclaim Me
  • ReFS Images
  • SysInternals Toolkit
  • ShadowCopyView
  • RegRipper
  • Rifiuti2
  • Registry Explorer/RECmd
  • FullEventLogView
  • EVTXtract
  • Loki IOC Scanner
  • Yara
  • LECmd
  • LinkParser
  • PECmd
  • SkypeLogViewer
  • SQLiteBrowser
  • NetWork Miner
  • StuxNet Memory Dump
Programme

Module 1: Introduction to Incident Handling

1. Types and Examples of Cybersecurity Incidents
2. Signs of an Incident
3. Incident Prioritization
4. Incident Response and Handling Steps
5. Procedures and Preparation

Module 2: Incident Response and Handling Steps

1. How to Identify an Incident
2. Handling Incidents Techniques
3. Incident Response Team Services
4. Defining the Relationship between Incident Response, Incident Handling, and Incident Management
5. Incident Response Best Practices
6. Incident Response Policy
7. Incident Response Plan Checklist
8. Incident Handling Preparation
9. Incident Prevention
10. Following the Containment Strategy to Stop Unauthorized Access
11. Eradication and Recovery
12. Detecting the Inappropriate Usage Incidents
13. Multiple Component Incidents
14. Containment Strategy to Stop Multiple Component Incidents

Module 3: Windows Internals

1. Introduction to Windows Internals
2. Fooling Windows Task Manager
3. Processes and threads
4. PID and TID
5. Information gathering from the running operating system
6. Obtaining Volatile Data
7. A deep dive into Autoruns
8. Effective permissions auditing
9. PowerShell gets NTFS permissions
10. Obtaining permissions information with AccessChck
11. Unnecessary and malicious services
12. Detecting unnecessary services with PowerShell

Module 4: Handling Malicious Code Incidents

1. Count of Malware Samples
2. Virus, Worms, Trojans and Spywares
3. Incident Handling Preparation
4. Incident Prevention
5. Detection of Malicious Code
6. Containment Strategy
7. Evidence Gathering and Handling
8. Eradication and Recovery

Module 5: Network Forensics and Monitoring

1. Types and approaches to network monitoring
2. Network evidence acquisition
3. Network protocols and Logs
4. LAB: Detecting Data Thievery
5. LAB: Detecting WebShells
6. Gathering data from network security appliances
7. Detecting intrusion patterns and attack indicators
8. Data correlation
9. Hunting malware in network traffic
10. Encoding and Encryption
11. Denial-of-Service Incidents
12. Distributed Denial-of-Service Attack
13. Detecting DoS Attack
14. Incident Handling Preparation for DoS
15. DoS Response and Preventing Strategies

Module 6: Securing Monitoring Operations and Evidence Gathering

1. Industry Best Practices
2. Objectives of Forensics Analysis
3. Role of Forensics Analysis in Incident Response
4. Forensic Readiness And Business Continuity
5. Types of Computer Forensics
6. Computer Forensic Investigator
7. Computer Forensics Process
8. Collecting Electronic Evidence
9. Challenging Aspects of Digital Evidence
10. Forensics in the Information System Life Cycle
11. Forensic Analysis Guidelines
12. Forensics Analysis Tools
13. Memory acquisition techniques

Module 7: Memory: Dumping and Analysis

1. Introduction to memory dumping and analysis
2. Creating memory dump – Belkasoft RAM Capturer and DumpIt
3. Utilizing Volatility to analyze Windows memory image
4. Analyzing Stuxnet memory dump with Volatility
5. Automatic memory analysis with Volatile

Module 8: Memory: Indicators of compromise

1. Yara rules language
2. Malware detonation
3. Introduction to reverse engineering

Module 9: Disk: Storage Acquisition and Analysis

1. Introduction to storage acquisition and analysis
2. Drive Acquisition
3. Mounting Forensic Disk Images
4. Virtual disk images
5. Signature vs. file carving
6. Introduction to NTFS File System
7. Windows File System Analysis
8. Autopsy with other filesystems
9. External device usage data extraction (USB usage etc.)
10. Reviving the account usage
11. Extracting data related to the recent use of application, file etc.
12. Recovering data after deleting partitions
13. Extracting deleted file and file-related information
14. Extracting data from file artifacts like $STANDARD_INFORMATION etc.
15. Password recovery
16. Extracting Windows Indexing Service data
17. Deep-dive into Automatic Destinations
18. Detailed analysis of Windows Prefetch
19. Extracting information about program execution (UserAssist, RecentApps, Shimcache, appcompatcache etc.)
20. Extracting information about browser usage (web browsing history, cache, cookies etc.)
21. Communicator apps data extraction
22. Extracting information about network activity
23. Building timelines

Module 10: Reporting – Digital Evidence

This module covers the restrictions and important details about digital evidence gathering. Moreover, a proper structure of the digital evidence report will be introduced.

Price

EUR 3500

Location

Online

Date

Date will be announced soon

Contact

EY Academy of Business

  • +48 22 701 00 00
  • academyofbusiness@pl.ey.com