Digital Forensics and Analysis (DFA)

 Please call for additional course dates.

 

A Proficiency-Based Course that Explores Digital Forensics and Malware Analysis

 

  • Investigate real malware, including TDL4, Spybot, and Metasploit backdoors
  • Memory forensics: learn how to find malware that bypasses antivirus solution
  • Discover how reading network traffic assists with finding artifacts and identifying malicious behavior 

 

DFA is a course that will teach you about the inner workings of Windows 7, as it relates to live forensics and malware analysis.

Have you ever wondered how computer forensic experts know if a process that was run was malware? Do you want the skills to investigate a system to see if it was infected? DFA is a course designed to provide in-depth digital forensic knowledge of the Microsoft Windows operating systems. This proficiency-based course takes a hands-on approach by allowing students to work with live malware samples to discover and analyze malicious network traffic, malicious artifacts in volatile memory (RAM), and infected File Systems. The course also focuses on other techniques that will allow the student to gain a holistic understanding of what really happens on a system during a malware infection (Timeline analysis, Analysis of supplemental artifacts, File System Journal Analysis). DFA is ideal for Windows System Administrators who need to come up to speed on how to better identify system malware, Penetration testers, CNO and CNE analysts who would like to know what type of artifacts are left by their activities, and CND analysts who would like to improve their skill set.

Before enrolling in DFA, we recommend attendees have familiarity in the following areas:

  • Boot Process for Windows
  • Normal processes for Windows and Linux
  • Malware, DLL Injection, Rootkits, etc.
  • Hashing
  • Wireshark and Volatility
  • Windows File Storage
  • Knowledge of Windows Registry
  • Windows Log files

However, many students have successfully completed the course by complementing deficiencies with a willingness to learn.

Malware Delivery Chain

 

tdf_methodology

 

 

 

Students will actively run real malware in a sandboxed environment. All rootkits and malware are analyzed in a realistic network with routing and servers set up to perform the malware delivery chain. Students will become proficient cyber defenders using the skills learned in  hands-on experience with Redkit, TDL4, Spybot, and other kits.
Download Course Sheet

 

Topics

ANATOMY OF AN ATTACK

You begin the first day analyzing a malicious threat. It’s here that you will begin exploiting a target and experiencing it from an attacker’s point of view.

PROCESS INTERROGATION

You will then learn how to use the Sysinternals Suite, native tools (netstat, tasklist, etc.), and some introductory Powershell scripting in order to automate process analysis. Using these skills, you will locate running malware and discover persistence vectors.

FILE SYSTEM ANALYSIS

During file system analysis you will look for forensic artifacts and perform a timeline analysis to see the chain of events using log2timeline,  mounting hard drives and using forensic tools on your findings. You will also learn how to create a copy of the hard drive using open source tools.

NETWORK TRAFFIC FORENSICS

Later, you’ll see what an exploit kit (like Redkit) looks like on the network, explore packet analysis with an introduction to Wireshark. Using Wireshark, you’ll see traffic generated by an exploit kit like Redkit and explore packet analysis.

SUPPLEMENTAL ARTIFACTS

Using various techniques, you will identify malware. Some of the artifacts that will be analyzed are as follows:
• Prefetch files

• Volume Shadow Copy Service
• Interesting Registry Keys
• Shellbags

WINDOWS INTERNALS

As you progress, you’ll learn more about targeted areas of the Windows Operating System and how to defend them, including Crash Dump Analysis, Windows Memory Manager, the Windows boot process and DLL injection.

RESPONSIVE ACTIONS

In becoming a more proficient cyber-mission defender, you will run malware executables and learn how they work. You will then create signatures for malware executables as Indicators of Compromise (IOC) and check other systems on the network for these IOCs.

CAPSTONE

Finally, you’ll complete a scenario driven final assessment where you will respond to an intrusion detection incident. Using the forensic techniques learned in class, you will fully enumerate the attack/method(s) the attacker used to gain access to the target system, associated implants, tools, files, timeline, and attack server organization.

 

Cost

DFA (Single Seat)

$10,000/each

  • Course Length: 10 Days
  • Course Book: Included

Sign up

 

What will you get out of this course?

The ultimate goal is for you to become a proficient cyber-mission malware hunter and defender for your organization. By the end of the course, you’ll know what looks suspicious, and have the tools to help you investigate and identify malware at a forensic level.

What makes this course unique?

You’ll perform your exercises and scenarios in a sandboxed network, allowing you to practice and learn at your own pace without affecting other students.