Digital Forensics & Analysis (DFA)

Upcoming Courses

 

Please call to register for this class.

 

Cost (single seat): $10,000 Course Length: 10 Days

Additional group and government discounts available. Contact Parrot Labs for more information.

 Download Course Catalog                                                                                      

What will you get out of DFA?

The ultimate goal is for you to become a proficient cyber-mission malware hunter and defender for your organization. By the end of the course, you’ll know what looks suspicious, and have the tools to help you investigate and identify malware at a forensic level.

What makes this course unique?

You’ll perform your exercises and scenarios in a sandboxed network, allowing you to practice and learn at your own pace without affecting other students.

Why should you enroll in DFA?

In DFA, students learn about the inner workings of Windows 7 as it relates to live forensics and malware analysis. DFA is designed to provide in-depth digital forensic knowledge of the Microsoft Windows operating systems.

    • Investigate real malware, including TDL4, Spybot, and Metasploit backdoors
    • Memory forensics: learn how to find malware that bypasses antivirus solution
    • Discover how reading network traffic assists with finding artifacts and identifying malicious behavior

 

This proficiency-based course takes a hands-on approach, allowing students to work with live malware samples to discover and analyze malicious network traffic, malicious artifacts in volatile memory (RAM), and infected file systems. The course also focuses on techniques that will allow students to gain a holistic understanding of what happens on a system during a malware infection (Timeline analysis, Analysis of supplemental artifacts, File System Journal Analysis). DFA is ideal for Windows System Administrators who need to better identify system malware, Penetration testers, CNO or CNE analysts analyzing artifacts left behind by their activities, and CND analysts who would like to improve their skill set.

Malware Delivery Chain

Students will actively run real malware in a sandboxed environment. All rootkits and malware are analyzed in a realistic network with routing and servers set up to perform the malware delivery chain. Students will become proficient cyber defenders using the skills learned in hands-on experience with Redkit, TDL4, Spybot, and other kits.

Topics

 

ANATOMY OF AN ATTACK

Analyze a malicious threat, and begin exploiting a target and experience it from an attacker’s point of view.

PROCESS INTERROGATION

Use Sysinternals Suite, native tools (netstat, tasklist, etc.), and introductory PowerShell scripting to automate process analysis. Using these skills, you will locate running malware and discover persistence vectors.

FILE SYSTEM ANALYSIS

Seek forensic artifacts and perform a timeline analysis to see the chain of events using log2timeline, mounting hard drives and using forensic tools on your findings. You will also learn to create a copy of the hard drive using open source tools.

NETWORK TRAFFIC FORENSICS

View exploit kits (like Redkit) on a network and explore packet analysis with an introduction to Wireshark.

SUPPLEMENTAL ARTIFACTS

Identify malware, using basic techniques and analyze artifacts, such as:

    • Prefetch files
    • Volume Shadow Copy Service
    • Interesting Registry Keys
    • Shellbags

 

WINDOWS INTERNALS

Learn more about targeted areas of the Windows Operating System and how to defend these areas, including Crash Dump Analysis, Windows Memory Manager, Windows boot process and DLL injection.

RESPONSIVE ACTIONS

Run malware executables and learn how they work. You will then create signatures for malware executables as Indicators of Compromise (IOC) and review other systems on the network for these IOCs.

CAPSTONE

Complete a scenario driven final assessment where you will respond to an intrusion detection incident. Using the forensic techniques learned in class, you will fully enumerate the attack/method(s) the attacker used to gain access to the target system, associated implants, tools, files, timeline, and attack server organization.

 

The ACE CREDIT logo is a registered trademark of the American Council on Education and cannot be used or reproduced without the express written consent of the American Council on Education.