• Start page
  • Courses
  • MasterClass: System Forensics, Incident Handling And Threat Hunting

Masterclass: System Forensics, Incident Handling And Threat Hunting

Forensics and Incident Handling are constantly evolving and crucial topics in the area of cybersecurity. In order to stay on top of the attackers, the knowledge of Individuals and Teams responsible for collecting digital evidences and handling the incidents has to be constantly enhanced and updated.

This advanced training provides skills necessary to find, collect and preserve data in a correct manner, analyze it and get to know as much about the incident as possible. This is an intense hands-on course covering the general approach to forensics and incident handling, network forensics, important aspects of Windows internals, memory and storage analysis, detecting indicators of compromise and a proper way of reporting.

Audience

The target audience for this training:
IT professionals, Forensics and Incident Handling Specialists, Security Consultants, Enterprise Administrators, Infrastructure Architects, Security Professionals, Systems Engineers, Network Administrators and other people responsible for implementing network and perimeter security.

 

About the instructor: Paula Januszkiewicz

Paula Januszkiewicz is a world-renowned cybersecurity Expert, a founder of CQURE and CQURE Academy, and Microsoft Regional Director and MVP.

CQURE has been providing cybersecurity services and trainings since it was set up in Warsaw in 2008. Throughout the years, our services have reached a wide range of clients around the world, which allowed us to open new offices in New York (2013), Dubai (2014), and Zug (2016).

CQURE Academy is primarily a training program consisting of over 40 high-quality technical workshops and seminars, and providing certification to specialists. Additionally, in October 2016 CQURE has successfully launched online and subscription-based trainings.

CQURE Experts speak at the international events and engage in multiple cybersecurity projects – they bring their knowledge and experience from the field to the trainings. CQURE Academy also involves R&D – that is why CQURE Team is so recognizable in the cybersecurity field.

Exercises

This course is based on practical knowledge from tons of successful projects, many years of real-world experience and no mercy for misconfigurations or insecure solutions!

Examples of tools, software and examples used during the course include Belkasoft RAM Capturer, Wireshark and Volatility.

Certification

What is wonderful about our certification is that it is lifetime valid with no renewal fees – the technology changes, butfundamentals and attitude remain mostly the same. Our Virtual Certificates, which entitle you to collect CPE Points, are issued via Accredible. 

Course outline:

Module 1: Introduction to Windows Internals

  1. Introduction to Windows Internals
  2. Processes and Threads
  3. PID and TID
  4. Information Gathering from Running Operating System
  5. Obtaining Volatile Data
  6. A Deep Dive into Autoruns
  7. Effective Permissions Auditing
  8. PowerShell Get NTFS Permissions
  9. Obtaining Permissions Information with Access Check
  10. Unnecessary and Malicious Services
  11. Detecting Unnecessary Services with PowerShell

Module 2: Securing Monitoring Operations & Threat Hunting

  1. Types of Hunting
  2. Defining Hunt Missions
  3. Malware Hiding Techniques
  4. Uncovering Internal Reconnaissance
  5. Uncovering Lateral Movement
  6. Uncovering Hidden Network Transmissions

Module 3: Handling Malicious Code Incidents

  1. Count of Malware Samples
  2. Virus, Worms, Trojans, and Spywares
  3. Incident Handling Preparation
  4. Incident Prevention
  5. Detection of Malicious Code
  6. Containment Strategy
  7. Evidence Gathering and Handling Eradication and Recovery


Module 4: Static Malware Analysis

  1. Static Malware Analysis Scenarios
  2. Types and Goals of Malware Analysis
  3. Cloud-Based Malware Analysis
  4. Incident Prevention and Response Steps
  5. Containment and Mitigation
  6. Executable analysis
  7. Static Analysis Tools

Module 5: Behavioral Malware Analysis and Threat Hunting

  1. Malware Detonation
  2. Sysinternals Suite
  3. Network Communication Analysis
  4. Monitoring System Events
  5. Memory Dump Analysis
  6. Simulation a Real Environment

Module 6: Network Forensics and Monitoring

  1. Types and Approaches to Network Monitoring
  2. Network Evidence Acquisition
  3. Network Protocols and Logs
  4. LAB: Detecting Data Thievery
  5. LAB: Detecting WebShells
  6. Gathering Data from Network Security Appliances
  7. Detecting Intrusion Patterns and Attack Indicators
  8. Data Correlation
  9. Hunting Malware in Network Traffic
  10. Encoding and Encryption
  11. Denial-of-Service Incidents
  12. Distributed Denial-of-Service Attack
  13. Detecting DoS Attack
  14. Incident Handling Preparations for DoS
  15. DoS Response and Preventing Strategies

Module 7: Memory: Dumping and Analysis

  1. Introduction to Memory Dumping and Analysis
  2. Creating Memory Dump - Belkasoft RAM Capturer and DumpIt
  3. Utilizing Volatility to Analyze Windows Memory Image
  4. Analyzing Stuxnet Memory Dump with Volatility
  5. Automatic Memory Analysis with Volatile

Module 8: Memory: Indicators of compromise

  1. Yara Rules Language
  2. Malware Detonation
  3. Introduction to Reverse Engineering

Module 9: Disk: Storage Acquisition and Analysis

  1. Introduction to Storage Acquisition and Analysis
  2. Drive Acquisition
  3. Mounting Forensic Disk Images
  4. Virtual Disk images
  5. Signature vs. File Carving
  6. Introduction to NTFS File System
  7. Windows File System Analysis
  8. Autopsy with Other filesystems
  9. External Device Usage Data Extraction (USB Usage etc.)
  10. Reviving the Account Usage
  11. Extracting Data Related with the Recent Use of Application, File etc.
  12. Recovering Data after Deleting Partitions
  13. Extracting Delete File and File Related Information
  14. Extracting Data from File Artifacts Like $STANDARD_INFORMATION etc.
  15. Password Recovery
  16. Extracting Windows Indexing Service data
  17. Deep-dive into Automatic Destinations
  18. Detailed Analysis of Windows Prefetch
  19. Extracting Information about
  20. Program execution (UserAssist, RecentApps, Shimcache, appcompatcache etc.)
  21. Extracting information about browser usage (web browsing history, cache, cookies etc.) 
  22. Communicator Apps Data Extraction
  23. Extracting Information about
  24. Network Activity
  25. Building Timelines

Module 10: Malicious Non-Exe Files

  1. Alternative Binaries
  2. PowerShell Scripts
  3. Office Documents
  4. Jscript
  5. HTML Documents
  6. Living off the Land Binaries 

 

Certification:

This training is not related to any specific certification.

Other relevant courses

MasterClass: Hacking and Securing Windows Infrastructure
10. March
5 days
Virtual Classroom Guaranteed to run
Masterclass: Internet Information Services Management (IIS)
4 days
Virtual Classroom
MasterClass: Windows Security and Infrastructure Management with Windows Internals
4 days
Classroom Virtual
MasterClass: Administering and Configuring Active Directory Federation Services and Claims
3 days
Classroom