Modern threats necessitate that defenders are able to quickly and effectively find threats and anomalous artifacts on a suspect system. As evidenced by numerous breaches over the last several years, automated security tools are not able to detect threats by skilled actors who utilize tools and processes meant specifically to avoid such detection. Instead, manual examination by a trained analyst must be performed in order to find signs of attacker activities, such as malware installation, lateral movement, credential theft, and data gathering and exfiltration.
This hands-on course teaches the skills necessary to detect and combat such threats, and the course's materials are developed based on real-world investigations. The class is structured so that a specific analysis technique is discussed and then students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives the investigator a number of new skills as the course proceeds. Students who take this course are then able to immediately apply their newly learned skills to combat a wide variety of threats.
The following is a non-exhaustive list of the file system-based artifacts and analysis types covered in the class:
- NTFS analysis
- Registry analysis
- LNK files & Jump Lists
- Prefetch files
- Scheduled tasks
- Event Logs
- Services
The following is a non-exhaustive list of the volatile, in-memory artifacts and analysis types covered in the class:
- Detection of injected code (userland and kernel)
- Fileless malware
- Memory-only malware
- Powershell and WMI based toolkits
- Deception of live security tools
For each of these artifacts and analysis types, students will learn how to quickly acquire, analyze, and make a determination if there are anomalous items requiring deeper examination. As part of the class materials, students will be given a checklist that walks them through a repeatable process that ensures every artifact of interest is examined. After the class is completed, this checklist can be applied to real investigations.
The skills taught in this class can be used for both proactive searching of threats, such as when performing threat hunting, as well as during incident response handling once a breach or compromise has been discovered.
Digital forensics staff, incident response handlers, SOC team members, network and systems administrators, and managers in the IT and IT security realm
The course assumes previous forensics knowledge equivalent to that of a junior investigator. Systems administrators and other IT staff often have these skills even if they were never applied to forensics. The hands-on exercises are designed to provide a learning experience to investigators of all skill levels (there will be different objectives based on previous skill-set). Scripting experience (Python, Perl, Ruby, etc.) will be helpful, but not required, in order to automate the analysis and reporting of results from the exercises.
Hardware:
Laptop with the following minimum specifications:
- 2.0 GHz, multi-core CPU
- 8 GB of RAM
- 20 GB of disk space
- USB 2.0/3.0 ports
- Wireless Network Interface Card if internet access is desired
Software:
Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware Workstation, Player, or Fusion must be installed. A PDF reader is also required. If students wish to examine evidence from their own Windows installation, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and WinRar meet this criteria and are free.
