Magnet Forensics

AX310 CIL - AXIOM INCIDENT RESPONSE EXAMINATIONS (Classroom Instructor-Led)

This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics, incident response techniques and leverage Magnet AXIOM, Magnet RAM Capture, Magnet Process Capture, and third-party tools to improve their computer investigations in relation to incident response.

Magnet AXIOM Incident Response Examinations (AX310) will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes third party tools and Magnet AXIOM to explore the evidence in greater depth by learning about volatile data collection by creating an incident response toolkit to capture volatile data in class that students can take with them for use in applications beyond the classroom. 

In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided.  Students will conduct a static analysis of malware by building a virtual environment and use Kali Linux in that environment to sanbox malware.

After the static analysis of the malware students will activate the malware in the virtual environment and conduct a dynamic analysis as well as capture packets during the malware activation in an attempt to capture information from the malware regarding its command and control server.  An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server. 

By searching through artifacts like Windows Ptrefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter. 

This course follows an actual intrusion into a computer network. During this course Packet Capture (PCAP) files will be examined from the sniffer running on the network during the incident. This course also walks each student through creating their own Incident Response Toolkit that will collect volatile data from a running computer as well as RAM and Process Memory. Good forensic practices will be discussed around the collection of volatile data as well as RAM ad Process captures. Starting in AXIOM 2.0, integration with the Volatility framework was added to increase the ability to parse RAM. Volatility works by first establishing the profile (specific version of the operating system, such as Windows 10, 64-bit, version 1709) and then through the use of plugins to recover information such as process list. During this course Instructors and Students will conduct the static analysis of malware recovered from the suspect system in a virtual machine using Virtual Box and Kali Linux. Students will also perform a dynamic analysis of the malware by executing it in the Windows environment it was designed to infect and recording the changes made to the infected system. Students will also build a virtual computer on the same closed network as the infected machine to act as a packet sniffer looking for traffic from the malware when it tries to communicate to the command and control server or send DNS requests resolve the DNS address in the malware to an IP Address. Towards the end of this course students will start putting all the pieces together they have learned through the Incident Response Toolkit, virtual machines, RAM, Volatile Data, File System Data, and Registry information. In the final chapter of this course students will examine a second machine infected with Malware using the techniques, tactics, and procedures learned through the first three and a half days of this course.

 

 

 

Training Course Registration Terms and Conditions

 

 

By registering, you agree that you have read and agree to the terms and conditions outlined in the following URL:  https://www.magnetforensics.com/training-course-registration-terms-conditions/

 

Select from the sessions below to register.

AX310 - AXIOM Incident Response Examinations (Classroom Instructor-Led)

29Mar AX310 Nashville, TN - March 29 - April 1, 2019
  • Mar 29 9:00 AM to Mar 29 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 623 Union Street, Nashville, Tennessee 37219 USA (Studio 4 - 4th Floor)
    Instructor: Patrick Beaver
  • Mar 30 9:00 AM to Mar 30 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 623 Union Street, Nashville, Tennessee 37219 USA
    Instructor: Patrick Beaver
  • Mar 31 9:00 AM to Mar 31 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 623 Union Street, Nashville, Tennessee 37219 USA
    Instructor: Patrick Beaver
  • Apr 01 9:00 AM to Apr 01 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 623 Union Street, Nashville, Tennessee 37219 USA
    Instructor: Patrick Beaver
32 of 35 seats available
Register
30Apr AX310 Herndon, VA - April 30 - May 3, 2019
  • Apr 30 9:00 AM to Apr 30 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Patrick Beaver
  • May 01 9:00 AM to May 01 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Patrick Beaver
  • May 02 9:00 AM to May 02 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Patrick Beaver
  • May 03 9:00 AM to May 03 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Patrick Beaver
18 of 20 seats available
Register
21May AX310 Anaheim, CA - May 21-24, 2019
  • May 21 9:00 AM to May 21 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Christopher Vance
  • May 22 9:00 AM to May 22 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Christopher Vance
  • May 23 6:00 AM to May 23 2:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 1900 S State College Blvd, Ste 100 Anaheim, CA 92806-6136
    Instructor: Christopher Vance
  • May 24 9:00 AM to May 24 5:00 PM ((UTC-08:00) Pacific Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Christopher Vance
13 of 15 seats available
Register
18Jun AX310 Princes Risborough, UK - June 18-21, 2019
  • Jun 18 8:30 AM to Jun 18 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Jun 19 8:30 AM to Jun 19 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Jun 20 8:30 AM to Jun 20 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
  • Jun 21 8:30 AM to Jun 21 4:30 PM ((UTC+00:00) Dublin, Edinburgh, Lisbon, London)
    Location: Avatu, Unit E2 Regent Park, Summerleys Rd, Princes Risborough HP27 9LE
    Instructor: Saige Derhak
10 of 12 seats available
Register
06Aug AX310 Herndon, VA - August 6-9, 2019
  • Aug 06 9:00 AM to Aug 06 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 07 9:00 AM to Aug 07 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 08 9:00 AM to Aug 08 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Aug 09 9:00 AM to Aug 09 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
20 of 20 seats available
Register
24Sep AX310 Herndon, VA - September 24-27, 2019
  • Sep 24 9:00 AM to Sep 24 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 25 9:00 AM to Sep 25 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 26 9:00 AM to Sep 26 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Sep 27 9:00 AM to Sep 27 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
20 of 20 seats available
Register
05Nov AX310 Herndon, VA - November 5-8, 2019
  • Nov 05 9:00 AM to Nov 05 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 06 9:00 AM to Nov 06 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 07 9:00 AM to Nov 07 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
  • Nov 08 9:00 AM to Nov 08 5:00 PM ((UTC-05:00) Eastern Time (US & Canada))
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Saige Derhak
20 of 20 seats available
Register