Advanced Digital Forensics
09:00 - 17:00
Pretul include: Suportul de curs in format electronic si diploma de participare.
Module 1 - Virtual machines with specific capabilities (SIFT Workstation).
Lab 1 - Configuration, templates, installed programs, basic utilities for the SIFT Workstation virtual machine.No items in this section
Module 2 - Incident response methodology: preparation, identification, analysis, eradication, recovery, knowledge.
Intelligence in the field of cyber threats: understanding the Kill Chain concept, the life cycle of the incident response team, in-depth understanding of investigations and cyber incident response, specific activities at the enterprise level.
Lab 2 - Preparation, identification, analysis, eradication, recovery, knowledge of incidents.No items in this section
Module 3 - Methodology for investigating digital intrusions: volatile evidence, level of volatility, order of processes in response to incidents, tracking the activity of hackers step by step, data recovery.
Lab 3 - Investigation of digital intrusions. Windows XP Restore Point analysis.No items in this section
Module 4 - Analysis of incident response systems: physical and logical installation of systems, their access and analysis remotely, scalable analysis, remote memory analysis.
Lab 4 - Analysis of local and remote incident response systems.No items in this section
Module 5 - Real-time incident response in Windows
Tools and utilities, volatile data collection, comparison of important data collected through various methods, secure Windows command consoles, enterprise-wide data collection automation, remote use of the command console, response to incidents via WMIC7, real-time response using Triage-IR and FGET, identification of ways in which malware ensures its persistence.
Lab 5 - Incidents in WindowsNo items in this section
Module 6 - Memory Acquisitions: 32-bit and 64-bit system memory acquisitions, extracting and converting pagefile.sys and hyberfil.sys files, acquiring memory from virtual machines.
Lab 6 - Memory purchases in Windows. In-depth investigations: file system-based analysis, knowledge of the Sleuthkit utility set, data partition or volume analysis, data-level analysis, stream-based data carving, file-based data carving, NTFS and FAT file system analysis .No items in this section
Module 7 - The process of memory analysis
Iidentification of malicious processes, analysis of DLLs and process handles, analysis of processes at the network level, detection of samples and injected code, detection of traces of a rootkit program, acquisition of processes and drivers which presents suspicions.
Lab 7 - Memory Analysis.No items in this section
Module 8 - Examinations and investigations of memory:
real-time investigations of memory, memory analysis techniques using the Redline utility, advanced memory analysis using the Volatility utility, examination of registers, memory timelining, parsing of event log structures resident in memory .
Lab 8 - Memory Investigation. Analysis of shadow volume backups made in Windows 7/8, Server 2008/2012.No items in this section
Module 9 - Getting started with the timeline concept: benefits, important aspects regarding the timeline concept, finding the starting point of incidents, contextual clues in the timeline, the timeline analysis process.
Lab 9 - Creating and analyzing the file system timeline: differences between the ways of recording temporal metadata (MAC8) in NTFS and FAT file systems, rules for recording temporal metadata in Windows, creating the timeline at the level of file system using Sleuthkit and fls utilities. Advanced knowledge of the log2timeline utility.No items in this section
Module 10 - Stages of detecting an unknown malware
Data reduction, data carving, search for compromise indicators, automatic memory analysis, persistence tests, supertimeline examination, packing / entropy / density check, system logs, manual memory analysis, methods automatic malware search, file table anomalies, timeline anomalies.
Lab 10 - Detect an unknown malware.No items in this section
Module 11 - Methods for detecting anti-forensics techniques: deleted files, deleted records from the Windows Registry database, overwriting files, cleaning web history, confidential data deletion utilities, modifying temporal metadata.
Lab 11 - Application of anti-forensics techniquesNo items in this section
Module 12 - Methodologies for analyzing and solving real cases, such as: malicious programs, intrusions, spear phishing attacks, SQL injection, APT initiators, detection of data leakage.
Lab 12 - Using the SQL injection methodology.No items in this section