This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics, incident response techniques and leverage Magnet AXIOM, Magnet RAM Capture, Magnet Process Capture, and third-party tools to improve their computer investigations in relation to incident response.
Magnet AXIOM Incident Response Examinations (AX310) will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes third party tools and Magnet AXIOM to explore the evidence in greater depth by learning about volatile data collection by creating an incident response toolkit to capture volatile data in class that students can take with them for use in applications beyond the classroom.
In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided. Students will conduct a static analysis of malware by building a virtual environment and use Kali Linux in that environment to sanbox malware.
After the static analysis of the malware students will activate the malware in the virtual environment and conduct a dynamic analysis as well as capture packets during the malware activation in an attempt to capture information from the malware regarding its command and control server. An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server.
By searching through artifacts like Windows Ptrefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter.
This course follows an actual intrusion into a computer network. During this course Packet Capture (PCAP) files will be examined from the sniffer running on the network during the incident. This course also walks each student through creating their own Incident Response Toolkit that will collect volatile data from a running computer as well as RAM and Process Memory. Good forensic practices will be discussed around the collection of volatile data as well as RAM ad Process captures. Starting in AXIOM 2.0, integration with the Volatility framework was added to increase the ability to parse RAM. Volatility works by first establishing the profile (specific version of the operating system, such as Windows 10, 64-bit, version 1709) and then through the use of plugins to recover information such as process list. During this course Instructors and Students will conduct the static analysis of malware recovered from the suspect system in a virtual machine using Virtual Box and Kali Linux. Students will also perform a dynamic analysis of the malware by executing it in the Windows environment it was designed to infect and recording the changes made to the infected system. Students will also build a virtual computer on the same closed network as the infected machine to act as a packet sniffer looking for traffic from the malware when it tries to communicate to the command and control server or send DNS requests resolve the DNS address in the malware to an IP Address. Towards the end of this course students will start putting all the pieces together they have learned through the Incident Response Toolkit, virtual machines, RAM, Volatile Data, File System Data, and Registry information. In the final chapter of this course students will examine a second machine infected with Malware using the techniques, tactics, and procedures learned through the first three and a half days of this course.
Training Course Registration Terms and Conditions
By registering, you agree that you have read and agree to the terms and conditions outlined in the following URL: https://www.magnetforensics.com/training-course-registration-terms-conditions/
Select from the sessions below to register.