Magnet Forensics

AX310 CIL - AXIOM INCIDENT RESPONSE EXAMINATIONS (Classroom Instructor-Led)

This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to expand their knowledge base on advanced forensics, incident response techniques and leverage Magnet AXIOM, Magnet RAM Capture, Magnet Process Capture, and third-party tools to improve their computer investigations in relation to incident response.

Magnet AXIOM Incident Response Examinations (AX310) will give participants the knowledge and skills they need to track incidents where unauthorized computer access and file usage has taken place on a computer system. This course utilizes third party tools and Magnet AXIOM to explore the evidence in greater depth by learning about volatile data collection by creating an incident response toolkit to capture volatile data in class that students can take with them for use in applications beyond the classroom. 

In this course, a deeper understanding of investigating incidents involving malware and network intrusions into Windows computers will be provided.  Students will conduct a static analysis of malware by building a virtual environment and use Kali Linux in that environment to sanbox malware.

After the static analysis of the malware students will activate the malware in the virtual environment and conduct a dynamic analysis as well as capture packets during the malware activation in an attempt to capture information from the malware regarding its command and control server.  An analysis of the captured information from the network communication will then be conducted to determine what the malware is designed to do such as spread laterally on the network, escalate user privileges, create new users, search for PII or send collected data back to the command and control server. 

By searching through artifacts like Windows Ptrefetch, SRUM, AMCACHE, Jumplists, LNK files, SHIMCACHE, MUICACHE, UserAssist, Windows Event logs, and the $Logfile, participants will determine the initial attack vector of the malware and the chain of events that took place thereafter. 

This course follows an actual intrusion into a computer network. During this course Packet Capture (PCAP) files will be examined from the sniffer running on the network during the incident. This course also walks each student through creating their own Incident Response Toolkit that will collect volatile data from a running computer as well as RAM and Process Memory. Good forensic practices will be discussed around the collection of volatile data as well as RAM ad Process captures. Starting in AXIOM 2.0, integration with the Volatility framework was added to increase the ability to parse RAM. Volatility works by first establishing the profile (specific version of the operating system, such as Windows 10, 64-bit, version 1709) and then through the use of plugins to recover information such as process list. During this course Instructors and Students will conduct the static analysis of malware recovered from the suspect system in a virtual machine using Virtual Box and Kali Linux. Students will also perform a dynamic analysis of the malware by executing it in the Windows environment it was designed to infect and recording the changes made to the infected system. Students will also build a virtual computer on the same closed network as the infected machine to act as a packet sniffer looking for traffic from the malware when it tries to communicate to the command and control server or send DNS requests resolve the DNS address in the malware to an IP Address. Towards the end of this course students will start putting all the pieces together they have learned through the Incident Response Toolkit, virtual machines, RAM, Volatile Data, File System Data, and Registry information. In the final chapter of this course students will examine a second machine infected with Malware using the techniques, tactics, and procedures learned through the first three and a half days of this course.

 

 

 

Training Course Registration Terms and Conditions

 

 

By registering, you agree that you have read and agree to the terms and conditions outlined in the following URL:  https://www.magnetforensics.com/training-course-registration-terms-conditions/

 

Select from the sessions below to register.

AX310 - AXIOM Incident Response Examinations (Classroom Instructor-Led)

21Jul AX310 Las Vegas, NV - July 21-24, 2020
  • Jul 21 9:00 AM to Jul 21 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: 400 South Martin Luther King Las Vegas, NV 89106
    Instructor: Magnet Training
  • Jul 22 9:00 AM to Jul 22 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: 400 South Martin Luther King Las Vegas, NV 89106
    Instructor: Chris Vance
  • Jul 23 9:00 AM to Jul 23 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: 400 South Martin Luther King Las Vegas, NV 89106
    Instructor: Chris Vance
  • Jul 24 9:00 AM to Jul 24 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: 400 South Martin Luther King Las Vegas, NV 89106
    Instructor: Chris Vance
17 of 18 seats available
Register
25Aug AX310 Herndon, VA -August 25-28, 2020
  • Aug 25 9:00 AM to Aug 25 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Aug 26 9:00 AM to Aug 26 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Aug 27 9:00 AM to Aug 27 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Aug 28 9:00 AM to Aug 28 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
14 of 20 seats available
Register
22Sep AX310 Anaheim, CA - September 22-25, 2020
  • Sep 22 9:00 AM to Sep 22 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: New Horizons CLC of SoCal - Gardena, CA 1515 W 190th St Suite 430 Gardena, CA 90248
    Instructor: Chris Vance
  • Sep 23 9:00 AM to Sep 23 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: New Horizons CLC of SoCal - Gardena, CA 1515 W 190th St Suite 430 Gardena, CA 90248
    Instructor: Chris Vance
  • Sep 24 9:00 AM to Sep 24 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: New Horizons CLC of SoCal - Gardena, CA 1515 W 190th St Suite 430 Gardena, CA 90248
    Instructor: Chris Vance
  • Sep 25 9:00 AM to Sep 25 5:00 PM ((UTC-08:00) Pacific Time (US & Canada) )
    Location: New Horizons CLC of SoCal - Gardena, CA 1515 W 190th St Suite 430 Gardena, CA 90248
    Instructor: Chris Vance
18 of 20 seats available
Register
27Oct AX310 Herndon, VA -October 27-30, 2020
  • Oct 27 9:00 AM to Oct 27 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Oct 28 9:00 AM to Oct 28 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Oct 29 9:00 AM to Oct 29 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
  • Oct 30 9:00 AM to Oct 30 5:00 PM ((UTC-05:00) Eastern Time (US & Canada) )
    Location: 2250 Corporate Park Drive, Suite 130, Herndon, VA 20171
    Instructor: Magnet Training
20 of 20 seats available
Register