Digital Forensics and Incident Response

Overview

Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches in the last year has shown that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of very technical areas including filesystem implementation, operating system design, and knowledge of possible network and host attack vectors.

During this training, students will learn both the theory around digital forensics and incident response as well as gain valuable hands-on experience with the same types of evidence and situations they will see in real-world investigations. The class is structured so that a specific analysis technique is discussed and then the students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives the investigator a number of new skills as the course proceeds.

Upon completion of the training, students will be able to effectively preserve and analyze a large number of digital evidence sources, including both on-disk and in-memory data. These skills will be immediately usable in a number of investigative scenarios, and will greatly enhance even experienced investigators' skillset. Students will also leave with media that contains all the tools and resources used throughout the training.

Who Should Take This Class

The target audience for this training is practitioners and managers in the fields of digital forensics and incident response. Throughout the course, very low level details of operating system operations will be discussed, but students will not need programming skills or previous operating system experience to benefit from the class.

Student Pre-Requisites

The course assumes very little previous forensics knowledge on part of the investigator. The hands-on exercises are designed to provide a learning experience to investigators of all skill levels (there will be different objectives based on previous skill-set). Scripting experience (python, perl, ruby, etc) would be helpful to automate the analysis and reporting of results from the exercises.

What to Bring

Laptops that can run both Linux and Windows (the host OS can be either and the other virtualized). We will provide everything else that is needed (tools, materials for exercises, etc).

Outline

• Overview, high level discussion of forensics capabilities
• Forensics Imaging
• Overview of Disks and Storage Mediums
• Filesystem theory
• The Sleuthkit
• FAT Filesystem
• NTFS Filesystem

• File Carving
• Timelining
• Application Analysis Overview
• Browser Activity Analysis
• Windows Cache Analysis
• Windows Registry Analysis

• Recycle Bin Analysis
• LNK File Analysis
• Office Metadata Examination
• System Restore Point and Volume Shadow Service
• Outlook/PST Analysis
• Exchange Forensics
• IIS Forensics Analysis
• MSSQL Forensics Analysis

• Overview of Memory Forensics
• Windows Memory Acquisition Techniques
• Windows Memory Analysis with Volatility
• Final Investigation
• Wrap up and Conclusion

Trainers

Andrew Case is a research engineer at Terremark where he is responsible for research and development projects related to memory, disk, and network forensics. He is also a GIAC-certified digital forensics investigator and has conducted numerous large scale investigations. Andrew's previous experience includes penetration tests, source code audits, and binary analysis for large corporations and products. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis project. He has delivered trainings in the field of digital forensics to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, SOURCE, BSides, OMFW, GFirst, and DFRWS.

Jamie Levy is a researcher and developer at Terremark Worldwide, A Verizon Company. Prior to joining Terremark, she worked on various R&D projects and forensic cases at Guidance Software, Inc. Jamie has taught classes in Computer Forensics and Computer Science at Queens College (CUNY) and John Jay College (CUNY). She has an MS in Forensic Computing from John Jay College and is an avid contributor to the open source Computer Forensics community. She is an active developer on the Volatility Framework. Jamie has authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC) on the topics of memory, network, and malware forensics analysis. Additional technical articles and blog posts by Jamie can be found at http://gleeda.blogspot.com.