Certified Cyber Forensics & Incident Response Essentials

Workshop Duration: 2 days
Date: 19 & 20th November,2015
Venue: The Leela, Mumbai

Price: INR 25,000

Description:

"In describing the advanced persistent threat (APT) and advanced adversaries, many experts have said, 'There are people smarter than you, who have more resources than you, and who are coming for you. Good luck with that.' They were not joking. The results over the past several years clearly indicate that hackers employed by nation-states and organized crime are racking up success after success. The APT has compromised hundreds of organizations. Organized crime organizations using botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data. Fortune 500 companies are beginning to detail data reaches and hacks in their annual stockholder reports. "In other words, the enemy is getting better and bolder, and their success rate is impressive." "We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensics investigators. We need lethal digital forensics experts who can detect and eradicate advanced threa immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. This 2-day Forensics and Incident Response course is crucial training for you to become the lethal forensics investigator and incident responder who can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best."

Workshop Agenda:

Enterprise Incident Response

• Real Incident Response Tactics

• • Preparation: Key tools, techniques, and procedures an incident response team needs to properly respond to intrusions
  • Identification: Proper scoping of an incident and detecting all compromised systems in the enterprise
  • Containment: Identification of exactly how the breach occurred and what was stolen
  • Eradication: Determining the key steps that must be taken to help stop the current incident
  • Recovery: Recording of the threat intelligence to be used in the event of a similar adversary returning to the enterprise
  • Lessons Learned
• Threat and Adversary Intelligence
  • Importance of Cyber Threat Intelligence
  • Understanding the "Kill Chain"
  • Threat Intelligence Creation and Use During Incident Response
  • Incident Response Team Life-Cycle Overview
  • Incident and Malware Detection - All Activity across a Specific System
  • Enterprise Incident Response/Forensics - Specific Activity across All Systems
• Remote and Enterprise Incident Response
  • Remote System Access in the Enterprise
  • Remote System Host-Based Analysis
  • Scalable Host-Based Analysis (one analyst examining 1,000 systems)
  • Remote Memory Analysis
• Windows Live Incident Response
  • Live Incident Response Kit and Tools
  • Volatile Data Collection
  • Comparison of Key Data Collected via Live Collection, Static Drive, and Memory Analysis Techniques
  • Auto-Start Malware Persistence Checks
  • Trusted Windows Command Shells
  • Finding Evil: Automating Collection across the Enterprise
  • Remote Command Shell Usage - PsExec
  • Incident Response Using Powershell
  • Live Response Key Tools

Memory Forensics in Incident Response

• Memory Acquisition
  • Acquisition of System Memory from both Windows 32/64 Bit Systems
  • Hibernation and Pagefile Memory Extraction and Conversion
  • Virtual Machine Memory Acquisition
• Memory Forensics Analysis Process
  • Identify Rogue Processes
  • Analyze Process DLLs and Handles
  • Review Network Artifacts
  • Look for Evidence of Code Injection
  • Check for Signs of a Rootkit
  • Acquire Suspicious Processes and Drivers
• Memory Forensics Examinations
  • Live Memory Forensics
  • Memory Analysis Techniques with Redline
  • Advanced Memory Analysis with Volatility
  • Code Injection, Malware, and Rootkit Hunting in Memory
  • Perform In-memory Windows Registry Examinations
  • Extract Typed Adversary Command Lines
  • Investigate Windows Services
  • Find and Dump Cached Files from RAM
  • Dumping Hashes and Credentials from Memory
• Memory Analysis Tools
  • Rekall
  • Volatility
  • Redline
  • MoonSols Windows Memory Toolkit

Timeline Analysis

• Timeline Analysis Overview
  • Timeline Benefits
  • Prerequisite Knowledge
  • Finding the Pivot Point
  • Timeline Context Clues
  • Timeline Analysis Process
• Memory Analysis Timeline Creation
  • Memory Timelining
• Filesystem Timeline Creation and Analysis
  • MACB Meaning by Filesystem (NTFS vs. FAT)
  • Windows Time Rules (File Copy vs. File Move)
  • Filesystem Timeline Creation Using Sleuthkit and fls
  • Bodyfile Analysis and Filtering Using the mactime ToolSuper Timeline Creation and Analysis
  • Super Timeline Artifact Rules
  • Program Execution, File Knowledge, File Opening, File Deletion
  • Timeline Creation with log2timeline
  • log2timeline Input Modules
  • log2timeline Output Modules
  • Filtering the Super Timeline Using l2t_process
  • Targeted Super Timeline Creation
  • Automated Super Timeline Creation
  • Super Timeline Analysis

Deep Dive Forensics & Anti-Forensics Detection

• Advanced "Evidence of Execution" Artifacts
  • RecentFileCache.bcf /Amcache.hve
  • Application Compatibility Cache (ShimCache)
• Windows 7/8 Server 2008/2012 Shadow Volume Copy Analysis
  • Volume Shadow Copy Data Analysis
  • Acquiring Shadow Copy Volume Images
  • Raw and Live Shadow Copy Examination Using the SIFT Workstation
  • Creating and Analyzing Shadow Volume Timelines
• Deep Dive Malware and Anti-Forensic Detection
  • Sleuthkit Toolset
  • File-Based Data Carving
    • Carving Key Files from a Compromised System (Malware, .rar Files, Prefetch Files, and Shortcut Files)
  • NTFS Filesystem Analysis
    • Master File Table (MFT) In Depth
    • NTFS System Files
    • NTFS Metadata Attributes ($Standard_Information, $Filename, $Data)
    • Rules of Windows Timestamps for $StdInfo and $Filename
    • NTFS Timestamps
    • Resident vs. Nonresident Files
    • Alternate Data Streams
    • Directory Listings and the $I30 file
    • Transaction Logging and the $Logfile and $UsnJrnl
    • What Happens When Data is Deleted from a NTFS Filesystem?
• Anti-Forensic Detection Methodologies
  • MFT Anomalies
  • Timeline Anomalies
  • Deleted File
  • Deleted Registry Keys
  • File Wiping
  • Clearing Browsing History
  • Privacy Cleaner
  • Adjusting Timestamps

Adversary and Malware Hunting

• Adversary and Malware Hunting
  • Rapid Data Triage Analysis
  • Cyber Threat Intelligence & Indicators of Compromise (IOC) Searching
  • Evidence of Persistence
  • Super timeline Examination
  • Packing/Entropy/Executable Anomaly/Density Checks
  • System Logs
  • Memory Analysis
  • Malware Identification
• Methodology to Analyze and Solve Challenging Cases
  • Malware/Intrusion
  • Spear Phishing Attacks
  • Web Application Attacks/SQL Injection
  • Advanced Persistent Threat Actors
  • Detecting Data Exfiltration

Candidate Requirements:

• Incident Response Team Leaders and Members who regularly respond to complex security incidents/intrusions from an APT group/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.

• Security Operations Center (SOC) personnel and Information Security Practitioners who support hunt operations, seeking to identify attackers in their network environments

• Experienced Digital Forensic Analysts who want to consolidate and expand their understanding of file system forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations.

• System Administrators who are on the front lines defending their systems and responding to attacks

• Government, Intelligence and Security/Law Enforcement who want to master advanced intrusion investigations and incident response, and expand their investigative skills beyond traditional host-based digital forensics

• Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.

You need to bring:

Bring your systems configured using this guide:

You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that also can install and run VMware virtualization products. For Macs, we recommend setting up Boot Camp and running Windows directly on your Mac. We have had challenges with VMware Fusion products with several exercises in class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual  machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware.
VMware will send you a time-limited serial number if you register for the trial at their website. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

System Hardware Requirements: 

• CPU: 64-bit Intel i5 x64 2.0+ GHz processor or higher based system is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)

• RAM: 8 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 8 GB of RAM or higher to get the most out of the course)

• Host Operating System: Any version of Windows or Mac OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player) Please note, those with Macs generally do better with Boot Camp installed and running Windows from your Mac. While it works on OSX, some students have experienced problems with VMware Fusion during the course.

• Networking: Wireless 802.11 B, G, N, or AC

• USB 3.0 Port(s) - highly recommended

• 200+ Gigabyte Host System Hard Drive minimum

• 150 Gigabytes of Free Space on your System Hard Drive - Free Space on Hard
  Drive is critical.

• The student should have the capability to have Local Administrator Access within
  their host operating system and BIOS settings

Systems Software Pre-Requirements:

• Install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 (higher versions are okay)

• Download and install 7Zip

• Microsoft Office (any version) w/Excel installed on your host - Note you can download Office Trial Software online (free for 60 days)

• If you are using an Apple Laptop/MacBook with OSX as your operating system it is required you additionally bring a Windows Virtual System (Win7 or Win8 - Any Version) to class or install bootcamp

Optional Item To Bring:

Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

Eligible Candidates:

• Information Security Professionals
• Any other interested in learning Cyber Forensics & Incident Response

Set Expectations:

• Hands on session

Trainer: Sachin Deodhar

Sachin is a CISSP, Cyber security analyst & Cyber conflict researcher with 14+ yrs of experience working with global consulting firms as well as directly with government and private sector companies/establishments in the UK, United States, Middle East and South Asia.  He has been a speaker at many international conferences including NATO Cooperative Cyber Defense Center of Excellence.

Certificate: CISO Platform Certified Cyber Forensics & Incident Response Professional

CISO Platform will recognize you as a "Certified Cyber Forensics & Incident Response Professional".

Certificates will be handed to all attendees. Your attendance is mandatory. Buying a pass does not make you eligible for certification.