Magnet Forensics

AX310 CIL - AXIOM INCIDENT RESPONSE EXAMINATIONS (Classroom Instructor-Led)

This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics, incident response techniques and leverage Magnet AXIOM, Magnet RAM Capture, Magnet Process Capture, and third-party tools to improve their computer investigations in relation to incident response.

Magnet AXIOM Incident Response Examinations (AX310) will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes third party tools and Magnet AXIOM to explore the evidence in greater depth by learning about volatile data collection by creating an incident response toolkit to capture volatile data in class that students can take with them for use in applications beyond the classroom. 

In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided.  Students will conduct a static analysis of malware by building a virtual environment and use Kali Linux in that environment to sanbox malware.

After the static analysis of the malware students will activate the malware in the virtual environment and conduct a dynamic analysis as well as capture packets during the malware activation in an attempt to capture information from the malware regarding its command and control server.  An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server. 

By searching through artifacts like Windows Ptrefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter. 

This course follows an actual intrusion into a computer network. During this course Packet Capture (PCAP) files will be examined from the sniffer running on the network during the incident. This course also walks each student through creating their own Incident Response Toolkit that will collect volatile data from a running computer as well as RAM and Process Memory. Good forensic practices will be discussed around the collection of volatile data as well as RAM ad Process captures. Starting in AXIOM 2.0, integration with the Volatility framework was added to increase the ability to parse RAM. Volatility works by first establishing the profile (specific version of the operating system, such as Windows 10, 64-bit, version 1709) and then through the use of plugins to recover information such as process list. During this course Instructors and Students will conduct the static analysis of malware recovered from the suspect system in a virtual machine using Virtual Box and Kali Linux. Students will also perform a dynamic analysis of the malware by executing it in the Windows environment it was designed to infect and recording the changes made to the infected system. Students will also build a virtual computer on the same closed network as the infected machine to act as a packet sniffer looking for traffic from the malware when it tries to communicate to the command and control server or send DNS requests resolve the DNS address in the malware to an IP Address. Towards the end of this course students will start putting all the pieces together they have learned through the Incident Response Toolkit, virtual machines, RAM, Volatile Data, File System Data, and Registry information. In the final chapter of this course students will examine a second machine infected with Malware using the techniques, tactics, and procedures learned through the first three and a half days of this course.

 

 

 

Training Course Registration Terms and Conditions

 

 

By registering, you agree that you have read and agree to the terms and conditions outlined in the following URL:  https://www.magnetforensics.com/training-course-registration-terms-conditions/

 

Select from the sessions below to register.

AX310 - AXIOM Incident Response Examinations (Classroom Instructor-Led)

06Aug AX310 Herndon, VA - August 6-9, 2019
  • Aug 06 9:00 AM to Aug 06 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 07 9:00 AM to Aug 07 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 08 9:00 AM to Aug 08 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 09 9:00 AM to Aug 09 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
14 of 20 seats available
Register
10Sep AX310 Anaheim, CA - September 10-13, 2019
  • Sep 10 9:00 AM to Sep 10 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Chris Vance
  • Sep 11 9:00 AM to Sep 11 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Chris Vance
  • Sep 12 9:00 AM to Sep 12 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Chris Vance
  • Sep 13 9:00 AM to Sep 13 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Chris Vance
14 of 15 seats available
Register
17Sep AX310 Phoenix, AZ - September 17-20, 2019
  • Sep 17 9:00 AM to Sep 17 5:00 PM ((UTC-07:00) Mountain Time (US & Canada))
    Location: 3033 N 3rd Ave Phoenix, AZ 85013
    Instructor: Hoyt Harness
  • Sep 18 9:00 AM to Sep 18 5:00 PM ((UTC-07:00) Mountain Time (US & Canada))
    Location: 3033 N 3rd Ave Phoenix, AZ 85013
    Instructor: Chris Vance
  • Sep 19 9:00 AM to Sep 19 5:00 PM ((UTC-07:00) Mountain Time (US & Canada))
    Location: 3033 N 3rd Ave Phoenix, AZ 85013
    Instructor: Chris Vance
  • Sep 20 9:00 AM to Sep 20 5:00 PM ((UTC-07:00) Mountain Time (US & Canada))
    Location: 3033 N 3rd Ave Phoenix, AZ 85013
    Instructor: Chris Vance
6 of 18 seats available
Register
24Sep AX310 Herndon, VA - September 24-27, 2019
  • Sep 24 9:00 AM to Sep 24 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 25 9:00 AM to Sep 25 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 26 9:00 AM to Sep 26 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 27 9:00 AM to Sep 27 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
13 of 20 seats available
Register
05Nov AX310 Herndon, VA - November 5-8, 2019
  • Nov 05 9:00 AM to Nov 05 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 06 9:00 AM to Nov 06 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 07 9:00 AM to Nov 07 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 08 9:00 AM to Nov 08 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
17 of 20 seats available
Register
10Dec AX310 Princes Risborough, UK - December 10-13, 2019
  • Dec 10 8:30 AM to Dec 10 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Dec 11 8:30 AM to Dec 11 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Dec 12 8:30 AM to Dec 12 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Dec 13 8:30 AM to Dec 13 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
11 of 12 seats available
Register