On This Page

Practical Incident Response With Digital Forensics & Malware Analysis

Internet Initiative Japan Inc. | August 4-7



Overview

Digital forensics and incident response are indispensable techniques to protect organizations from attacks. Furthermore, in recent years, many malware related attacks have occurred in enterprise environments, so you need deep knowledge and analysis techniques for malware and attack tools used via the malware as well. For example, a RAT has a file uploading function to an infected host. When a file is uploaded, the malware creates a temporary file which the name ends with ".tmp" extension with the original name. If you determine this by malware analysis, you can discover the file which the attackers sent by analyzing the NTFS journal file. This is why we believe malware analysis is needed.

In this course, we provide a virtual enterprise environment for investigation and targeted attack scenarios against that environment, in order to learn all these techniques. The attack scenario is based on actual incidents. For example, attackers exploit a client PC and downloads RAT malware. Then the attackers gain administrator rights and execute Mimikatz to get higher credentials and to generate the "Golden Ticket" moving laterally. Finally, they steal victim's confidential documents. Hence, attendees can achieve the same result as solving actual cases through our scenario. We also provide additional artifacts applied in some attacks which are not included within our scenario. This learning will give attendees the experience and knowledge necessary for solving many cases.

Our training course offers the latest supported windows versions (Windows 7/8.1/10, Server 2012 R2/2016) as HDD/memory images for investigation. We also provide a pre-built analysis VM, outputs of analysis tools and IDC/IDAPython script templates for IDA Pro so that participants can learn a lot of things efficiently without setting up analysis tools or waiting until the completion of tools execution. This allows participants to experience more than 100 artifacts and exercises. You will have almost the same knowledge as the instructors' one by the end of this course.

COURSE OUTLINE

Day 1:
  • 1. Overview
  • 2. Acquisition
    • Acquisition Procedures
    • HDD Imaging Tools
    • Memory Imaging Tools
  • 3. Disk Image Mounting and Parsing
    • Disk Image Mounting Tools
    • Disk Image Parsing Tools
  • 4. Persistence Analysis
    • Autoruns (Run keys, Startups, Services ...)
    • Autoruns Offline Analysis Tips
    • WMI
    • Scheduled Tasks
  • 5. Malware Analysis
    • Surface Analysis (Calculating Hashes, Parsing Headers, Examining Imported Modules and APIs)
    • Dynamic Analysis 1: Execution and Observation (Capturing Registry, File, and Network I/O Activities, Identifying C2 Servers, Acquiring Malware's Characteristics)
    • Dynamic Analysis 2: Preparation for Reverse Engineering (Unpacking Malware, Tracing Process Hollowing)

Day 2:
  • 5. Malware Analysis (Cont.)
    • Reverse Engineering Malware with Automated Scripts (Finding String Decode Routines and Obtaining Decoded Strings, Finding Dispatch Routines, Identifying Capabilities)
  • 6. Live Forensics/Response
    • Autoruns Online Analysis
    • Anti-Autoruns and Anti-Anti-Autoruns Techniques
    • Examining Process Tree With Process Explorer/Hacker
    • Finding Malicious Modules and Injected Code With Process Explorer/Hacker
    • Analyzing Strings in Process Memory
  • 7. Root Cause Analysis
    • Proxy Log Analysis
    • Investigating Web Browser Activities (Parsing History and Cache, Recovering History Records)
    • Email Forensics (Parsing Mailboxes, Investigating Headers and Attachments)
    • Investigating File/Folder Open/Save Activities (Internet Explorer History, Shellbags, Recent Docs ...)
    • Analyzing Task Scheduler/AT

Day 3:
  • 7. Root Cause Analysis (Cont.)
    • Exploits Analysis (Identifying Vulnerabilities)
  • 8. Investigating Lateral Movements
    • Program Execution Artifacts (Prefetch, Shimcache, Amcache.hve ...)
    • Event Log Analysis (PowerShell Events, Task Scheduler Events, Remote Logon Events ...)
    • Analyzing PowerShell Attacks
    • Analyzing Attack Tools
  • 9. Timeline Analysis
    • Parsing Metadata Information ($MFT, $Logfile, $UsnJrnl:$J)
    • Building Timeline With Registry Keys

Day 4:
  • 9. Timeline Analysis (Cont.)
  • 10. Finding Leaked Information and Recovering Lost Data
    • File Access Related Artifacts (File sharing Events, MountPoints 2, USB Related Artifacts)
    • Recovering and Analyzing Lost Data (RecycleBin, MFT, VSS, File/Per-Record Carving)
    • Keyword Search (Finding Out Evidence for Attack Tools' Execution, Passphrases for Encrypted Archives Such As RAR and 7zip)
  • 11. Discussion for Various Important Registry Keys
  • 12. Memory Forensics
    • Examining Processes and TCP/IP Communications
    • Finding Malicious Code Injection
    • Acquiring Malware Configurations
    • Examining OS Artifacts in Memory
  • 13. Wrap Up

Who Should Take this Course

Incident responders, Forensic Investigators, Malware Analysts, SOC team members, CSIRT members and IT admins.

Student Requirements

Students must have:
  • a working understanding of Windows OS (file system, registry and command-line)
  • basic knowledge of Active Directory and Windows security architectures
  • TCP/IP fundamentals
  • programing experiences (LLs such as python and perl are acceptable)
  • x86/x64 architecture fundamentals (CPU, register, memory, and how program and OS work)
  • a working understanding of VMware/VirtualBox (importing VMs, handling snapshots, modifying configurations)

What Students Should Bring

A laptop with the following minimum specifications:
  • Hardware:
    • 2.0+ GHz, multi-core CPU
    • 8+ GB of RAM
    • 50+ GB of disk space (We recommend SSD)
    • At least one USB 3.0 port (not USB type-C) and you must have a physical access permission for the USB port
    • IMPORTANT: We will provide all materials on a portable USB HDD.
    • A wireless network interface card
  • Software:
    • Windows OS (7+) / macOS (10.12+) as a host OS with administrator rights
    • VMware Workstation (12+) / Fusion (8+) or VirtualBox (5.1+)
    • Full access rights for USB devices

What Students Will Be Provided With

We provide course slides, a pre-built analysis VM, disk/memory images for investigation and additional artifacts. Those are included in a portable 2.5 inch HDD with USB 3.0.

HDD/memory images for investigation are:
  • Windows Servers
  • Windows Server 2016 (Active Directory Server)
  • Windows Server 2012 R2 (File Server)
  • Windows Clients
  • Windows 10 Pro x64
  • Windows 8.1 Pro x64
  • Windows 7 Professional x86

Trainers

Hiroshi Suzuki is a malware analyst, a forensic investigator and an incident responder, working for a Japanese ISP company, Internet Initiative Japan Inc. He is a member of IIJ-SECT that is a private CSIRT on his company. His main jobs include analyzing malware and vulnerabilities, observing malware activities, threat intelligence for cyber espionage groups, digital forensics, and incident response for his company and his customers. Especially, he is interested in targeted attacks and those RATs or those attack tools, such as PlugX, Mimikatz and so on. He has over 12 years dedicated to those areas. He is a speaker and a hands-on trainer for international conferences such as Black Hat and FIRST.

Hisao Nashiwa is a threat analyst, working for Internet Initiative Japan as a CSIRT member of the company. His main jobs include incident response, analyzing malware and analyzing network traffic, observing malicious activities over nine years. He is researching cyber crimes such as exploit kits and malware. He has five years of experience and knowledge in analyzing malware. He is a speaker and a trainer for international conferences such as FIRST.

Minoru Kobayashi has over 15 years' experience in the information security field. He works for Internet Initiative Japan Inc. as a forensic investigator and a CSIRT member of the company. His primary research themes are related to digital forensics tools such as libvshadow, attacking tools such as Mimikatz, and Windows features such as VSS. He is also interested in incident response, network security, malware analysis, and so on. He has been a speaker and a trainer at Mauritius 2016 FIRST TC, Osaka 2018 FIRST TC, and several information security events/conferences. He also holds CISSP certification.