Practical Incident Response With Digital Forensics & Malware Analysis

Digital forensics and incident response are indispensable techniques to protect organizations from attacks. Furthermore, in recent years, many malware related attacks have occurred in enterprise environments, so you need deep knowledge and analysis techniques for malware and attack tools used via the malware as well. For example, a RAT has a file uploading function to an infected host. When a file is uploaded, the malware creates a temporary file which the name ends with ".tmp" extension with the original name. If you determine this by malware analysis, you can discover the file which the attackers sent by analyzing the NTFS journal file. This is why we believe malware analysis is needed.

In this course, we provide a virtual enterprise environment for investigation and targeted attack scenarios against that environment, in order to learn all these techniques. The attack scenario is based on actual incidents. For example, attackers exploit a client PC and downloads RAT malware. Then the attackers gain administrator rights and execute Mimikatz to get higher credentials and to generate the "Golden Ticket" moving laterally. Finally, they steal victim's confidential documents. Hence, attendees can achieve the same result as solving actual cases through our scenario. We also provide additional artifacts applied in some attacks which are not included within our scenario. This learning will give attendees the experience and knowledge necessary for solving many cases.

Our training course offers the latest supported windows versions (Windows 7/8.1/10, Server 2012 R2/2016) as HDD/memory images for investigation. We also provide a pre-built analysis VM, outputs of analysis tools and IDC/IDAPython script templates for IDA Pro so that participants can learn a lot of things efficiently without setting up analysis tools or waiting until the completion of tools execution. This allows participants to experience more than 100 artifacts and exercises. You will have almost the same knowledge as the instructors' one by the end of this course.

If you would like to know the highlights of our course and get the sample training slides, see the blog post below.

https://sect.iij.ad.jp/en/d/2018/04/044132.html


COURSE OUTLINE

Day 1:

• 1. Overview
• 2. Acquisition
  • Acquisition Procedures
  • HDD Imaging Tools
  • Memory Imaging Tools
• 3. Disk Image Mounting and Parsing
  • Disk Image Mounting Tools
  • Disk Image Parsing Tools
• 4. Persistence Analysis
  • Autoruns (Run keys, Startups, Services ...)
  • Autoruns Offline Analysis Tips
  • WMI
  • Scheduled Tasks
• 5. Malware Analysis
  • Surface Analysis (Calculating Hashes, Parsing Headers, Examining Imported Modules and APIs)
  • Dynamic Analysis 1: Execution and Observation (Capturing Registry, File, and Network I/O Activities, Identifying C2 Servers, Acquiring Malware's Characteristics)
  • Dynamic Analysis 2: Preparation for Reverse Engineering (Unpacking Malware, Tracing Process Hollowing)

Day 2:

• 5. Malware Analysis (Cont.)
  • Reverse Engineering Malware with Automated Scripts (Finding String Decode Routines and Obtaining Decoded Strings, Finding Dispatch Routines, Identifying Capabilities)
• 6. Live Forensics/Response
  • Autoruns Online Analysis
  • Anti-Autoruns and Anti-Anti-Autoruns Techniques
  • Examining Process Tree With Process Explorer/Hacker
  • Finding Malicious Modules and Injected Code With Process Explorer/Hacker
  • Analyzing Strings in Process Memory
• 7. Root Cause Analysis
  • Proxy Log Analysis
  • Investigating Web Browser Activities (Parsing History and Cache, Recovering History Records)
  • Email Forensics (Parsing Mailboxes, Investigating Headers and Attachments)
  • Investigating File/Folder Open/Save Activities (Internet Explorer History, Shellbags, Recent Docs ...)
  • Analyzing Task Scheduler/AT

Day 3:

• 7. Root Cause Analysis (Cont.)
  • Exploits Analysis (Identifying Vulnerabilities)
• 8. Investigating Lateral Movements
  • Program Execution Artifacts (Prefetch, Shimcache, Amcache.hve ...)
  • Event Log Analysis (PowerShell Events, Task Scheduler Events, Remote Logon Events ...)
  • Analyzing PowerShell Attacks
  • Analyzing Attack Tools
• 9. Timeline Analysis
  • Parsing Metadata Information ($MFT, $Logfile, $UsnJrnl:$J)
  • Building Timeline With Registry Keys

Day 4:

• 9. Timeline Analysis (Cont.)
• 10. Finding Leaked Information and Recovering Lost Data
  • File Access Related Artifacts (File sharing Events, MountPoints 2, USB Related Artifacts)
  • Recovering and Analyzing Lost Data (RecycleBin, MFT, VSS, File/Per-Record Carving)
  • Keyword Search (Finding Out Evidence for Attack Tools' Execution, Passphrases for Encrypted Archives Such As RAR and 7zip)
• 11. Discussion for Various Important Registry Keys
• 12. Memory Forensics
  • Examining Processes and TCP/IP Communications
  • Finding Malicious Code Injection
  • Acquiring Malware Configurations
  • Examining OS Artifacts in Memory
• 13. Wrap Up

Incident responders, Forensic Investigators, Malware Analysts, SOC team members, CSIRT members and IT admins.

Students must have:

• a working understanding of Windows OS (file system, registry and command-line)
• basic knowledge of Active Directory and Windows security architectures
• TCP/IP fundamentals
• programing experiences (LLs such as python and perl are acceptable)
• x86/x64 architecture fundamentals (CPU, register, memory, and how program and OS work)
• a working understanding of VMware/VirtualBox (importing VMs, handling snapshots, modifying configurations)

A laptop with the following minimum specifications:

• Hardware:
  • 2.0+ GHz, multi-core CPU
  • 8+ GB of RAM
  • 50+ GB of disk space (We recommend SSD)
  • At least one USB 3.0 port (not USB type-C) and you must have a physical access permission for the USB port
  • IMPORTANT: We will provide all materials on a portable USB HDD.
  • A wireless network interface card
• Software:
  • Windows OS (7+) / macOS (10.12+) as a host OS with administrator rights
  • VMware Workstation (12+) / Fusion (8+) or VirtualBox (5.1+)
  • Full access rights for USB devices

We provide course slides, a pre-built analysis VM, disk/memory images for investigation and additional artifacts. Those are included in a portable 2.5 inch HDD with USB 3.0.

HDD/memory images for investigation are:

• Windows Servers
• Windows Server 2016 (Active Directory Server)
• Windows Server 2012 R2 (File Server)
• Windows Clients
• Windows 10 Pro x64
• Windows 8.1 Pro x64
• Windows 7 Professional x86