Please call for additional course dates.
A Proficiency-Based Course that Explores Digital Forensics and Malware Analysis
- Investigate real malware, including TDL4, Spybot, and Metasploit backdoors
- Memory forensics: learn how to find malware that bypasses antivirus solution
- Discover how reading network traffic assists with finding artifacts and identifying malicious behavior
DFA is a course that will teach you about the inner workings of Windows 7, as it relates to live forensics and malware analysis.
Have you ever wondered how computer forensic experts know if a process that was run was malware? Do you want the skills to investigate a system to see if it was infected? DFA is a course designed to provide in-depth digital forensic knowledge of the Microsoft Windows operating systems. This proficiency-based course takes a hands-on approach by allowing students to work with live malware samples to discover and analyze malicious network traffic, malicious artifacts in volatile memory (RAM), and infected File Systems. The course also focuses on other techniques that will allow the student to gain a holistic understanding of what really happens on a system during a malware infection (Timeline analysis, Analysis of supplemental artifacts, File System Journal Analysis). DFA is ideal for Windows System Administrators who need to come up to speed on how to better identify system malware, Penetration testers, CNO and CNE analysts who would like to know what type of artifacts are left by their activities, and CND analysts who would like to improve their skill set.
Before enrolling in DFA, we recommend attendees have familiarity in the following areas:
- Boot Process for Windows
- Normal processes for Windows and Linux
- Malware, DLL Injection, Rootkits, etc.
- Wireshark and Volatility
- Windows File Storage
- Knowledge of Windows Registry
- Windows Log files
However, many students have successfully completed the course by complementing deficiencies with a willingness to learn.
Malware Delivery Chain
ANATOMY OF AN ATTACK
You begin the first day analyzing a malicious threat. It’s here that you will begin exploiting a target and experiencing it from an attacker’s point of view.
You will then learn how to use the Sysinternals Suite, native tools (netstat, tasklist, etc.), and some introductory Powershell scripting in order to automate process analysis. Using these skills, you will locate running malware and discover persistence vectors.
FILE SYSTEM ANALYSIS
During file system analysis you will look for forensic artifacts and perform a timeline analysis to see the chain of events using log2timeline, mounting hard drives and using forensic tools on your findings. You will also learn how to create a copy of the hard drive using open source tools.
NETWORK TRAFFIC FORENSICS
Later, you’ll see what an exploit kit (like Redkit) looks like on the network, explore packet analysis with an introduction to Wireshark. Using Wireshark, you’ll see traffic generated by an exploit kit like Redkit and explore packet analysis.
Using various techniques, you will identify malware. Some of the artifacts that will be analyzed are as follows:
• Prefetch files
• Volume Shadow Copy Service
• Interesting Registry Keys
As you progress, you’ll learn more about targeted areas of the Windows Operating System and how to defend them, including Crash Dump Analysis, Windows Memory Manager, the Windows boot process and DLL injection.
In becoming a more proficient cyber-mission defender, you will run malware executables and learn how they work. You will then create signatures for malware executables as Indicators of Compromise (IOC) and check other systems on the network for these IOCs.
Finally, you’ll complete a scenario driven final assessment where you will respond to an intrusion detection incident. Using the forensic techniques learned in class, you will fully enumerate the attack/method(s) the attacker used to gain access to the target system, associated implants, tools, files, timeline, and attack server organization.
DFA (Single Seat)
- Course Length: 10 Days
- Course Book: Included
What will you get out of this course?
The ultimate goal is for you to become a proficient cyber-mission malware hunter and defender for your organization. By the end of the course, you’ll know what looks suspicious, and have the tools to help you investigate and identify malware at a forensic level.
What makes this course unique?
You’ll perform your exercises and scenarios in a sandboxed network, allowing you to practice and learn at your own pace without affecting other students.