On This Page

Effective Threat Hunting & Incident Response

Andrew Case | December 4 - 5


Modern threats necessitate that defenders are able to quickly and effectively find threats and anomalous artifacts on a suspect system. As evidenced by numerous breaches over the last several years, automated security tools are not able to detect threats by skilled actors who utilize tools and processes meant specifically to avoid such detection. Instead, manual examination by a trained analyst must be performed in order to find signs of attacker activities, such as malware installation, lateral movement, credential theft, and data gathering and exfiltration.

This hands-on course teaches the skills necessary to detect and combat such threats, and the course's materials are developed based on real-world investigations. The class is structured so that a specific analysis technique is discussed and then students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives the investigator a number of new skills as the course proceeds. Students who take this course are then able to immediately apply their newly learned skills to combat a wide variety of threats.

The following is a non-exhaustive list of the file system-based artifacts and analysis types covered in the class:

  • NTFS analysis
  • Registry analysis
  • LNK files & Jump Lists
  • Prefetch files
  • Scheduled tasks
  • Event Logs
  • Services

The following is a non-exhaustive list of the volatile, in-memory artifacts and analysis types covered in the class:

  • Detection of injected code (userland and kernel)
  • Fileless malware
  • Memory-only malware
  • Powershell and WMI based toolkits
  • Deception of live security tools

For each of these artifacts and analysis types, students will learn how to quickly acquire, analyze, and make a determination if there are anomalous items requiring deeper examination. As part of the class materials, students will be given a checklist that walks them through a repeatable process that ensures every artifact of interest is examined. After the class is completed, this checklist can be applied to real investigations.

The skills taught in this class can be used for both proactive searching of threats, such as when performing threat hunting, as well as during incident response handling once a breach or compromise has been discovered.

Who Should Take this Course

Digital forensics staff, incident response handlers, SOC team members, network and systems administrators, and managers in the IT and IT security realm

Student Requirements

The course assumes previous forensics knowledge equivalent to that of a junior investigator. Systems administrators and other IT staff often have these skills even if they were never applied to forensics. The hands-on exercises are designed to provide a learning experience to investigators of all skill levels (there will be different objectives based on previous skill-set). Scripting experience (Python, Perl, Ruby, etc.) will be helpful, but not required, in order to automate the analysis and reporting of results from the exercises.

What Students Should Bring


Laptop with the following minimum specifications:
  • 2.0 GHz, multi-core CPU
  • 8 GB of RAM
  • 20 GB of disk space
  • USB 2.0/3.0 ports
  • Wireless Network Interface Card if internet access is desired


Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware Workstation, Player, or Fusion must be installed. A PDF reader is also required. If students wish to examine evidence from their own Windows installation, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and WinRar meet this criteria and are free.

What Students Will Be Provided With

A USB drive with:
  • A Linux VM setup with the needed Linux tools installed
  • All of the Windows tools used throughout the class
  • All of the lab material
  • The investigation process checklist
  • Select relevant reading material such as whitepapers and presentations


Andrew Case is a senior incident response handler and malware analyst. He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis framework. He is a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory". He has delivered trainings in the fields of digital forensics and incident response to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.