Incident Response Black Hat Edition

MANDIANT - Kris Harms & Dan McWhorter

Register Now // july 24 - 27

USA 2010 Weekend Training Session //July 24-25

USA 2010 Weekday Training Session //July 26-27


Students who cannot meet the laptop requirements because of onsite registration or other reasons, please contact MANDIANT at to see if a laptop can be provided for you.

As the sophistication and threats caused by malicious attacks continue to increase, Mandiant has raised the bar of effective detection, response, and remediation by introducing our Incident Response (IR) class. This two-day Special Edition class has been specifically designed for information security professionals and analysts who respond to computer security incidents. It is designed as an operational course, using case studies and hands-on lab exercises to ensure attendees are gaining experience in each topic area. Hands on exercises and labs in Windows Intrusion as well as the following topics are covered:

  • The different phases and activities of the IR process
  • The roles and responsibilities of each member of the IR team
  • Create IR checklists and notification lists
  • How to rapidly detect or confirm attacks
  • Finding, reviewing, and interpreting log files
  • Performing live response on a compromised server
  • Learn what volatile evidence is present on a live system before it is powered down
  • Determine the function of unidentified executable processes
  • Detect rootkits, backdoors and trojaned files
  • Interact with rootkits to learn their impact on a live system, and how to respond

What to bring:

Students must bring their own Laptop with Windows XP installed and Administrator rights. Be prepared to install software, analyze drive images, and handle malicious code. Laptops should have the following software installed.

  • VMWare Player or Workstation
  • Microsoft Office 2003, 2007 or Open Office 3.0

What You Will Get:

  • Student Manual
  • Class handouts
  • MANDIANT gear

Who Should Attend the Class:

Information technology staff, information security staff, corporate investigators, or other staff that require an understanding of how networks work, how to capture network traffic, how to investigate network use, how to identify and escalate suspected computer security incidents, and how to safeguard corporate assets via network defense.


Basic knowledge of computer, network, and operating system fundamentals is required.


Kris Harms is a Principal Consultant at Mandiant with seven years experience in information security. Mr. Harms provides commercial organizations, attorneys and the U.S. Government with expertise in incident response, computer forensics, vulnerability assessment and security architecture design.

Mr. Harms has extensive experience investigating and resolving high risk computer security incidents. He has responded to intrusions for Fortune 100 companies, ecommerce sites and financial institutions. He has also supported multiple counterintelligence intrusion investigations for several government entities. He has assisted organizations with post incident activities such as remediation strategy development, vulnerability management, security architecture design, executive presentations and incident response program development. Mr. Harms has also assisted attorneys and organizations with electronic evidence discovery for several multi-million dollar litigations.

Harms has a passion for teaching. He has taught computer intrusion investigations classes at the FBI Academy, commercial, and other government organizations. He is also the author of several training courses for Mandiant and the Federal Bureau of Investigation. He has provided training at several conferences including Black Hat, CSI SX and InfraGard.

Prior to joining Mandiant, Mr. Harms worked for SRA International and played a key role as an Information Assurance Engineer for the Government Accountability Office. During this time, he became the technical lead for the development and maintenance of the agencyís intrusion detection and incident response capabilities. He was also the technical lead for workstation security, providing secure solutions for auditors and support staff while on-site and off-site. This program included leading a successful rollout of agency-wide personal firewalls which incorporated never before implemented 802.1x capabilities.

As a result of his experience conducting numerous forensic investigations, Mr. Harms created Mandiantís Restore Point Analysis Tool, and authored ìForensic Analysis of System Restore Points in Windows XPî published in the International Journal of Digital Investigation. The tool is designed to provide forensic examiners an understanding of the content found within System Restore Points which are frequently overlooked as a source for data.

A frequent industry speaker and instructor, Mr. Harms has appeared on the CBS News program 60 Minutes and PBSís Wealth and Wisdom. Mr. Harms holds a Bachelor of Arts degree in Applied Science and Technology from The George Washington University.

Dan McWhorter is the Director of Professional Education for Mandiant, responsible for Mandiantís Professional Education service line. In this role Mr. McWhorter focuses on curriculum development, course delivery, personnel management, and business development. As a Mandiant consultant, Mr. McWhorter provides analysis for both incident response engagements and proactive assessments.

Prior to joining Mandiant, Mr. McWhorter was an Assistant Executive Director with ManTech International. During his time there, Mr. McWhorter built a MD-focused ManTech International computer forensics and intrusion operations capability from the ground up that resulted in a fully accredited 10,000 square foot facility and a multi-million dollar contract base. Mr. McWhorter has experience supporting, supervising, and leading an elite team of forensic and intrusion engineers, as well as technical managers and administrative personnel.

Mr. McWhorter is a graduate of the National Security Agencyís (NSA) three-year Cryptologic Mathematics Program. In addition to completing several mathematics courses during this program, Mr. McWhorter contributed technically to multiple NSA offices. He created exploits from public computer/network vulnerabilities, developed computer network operations tools, explored forensic attributes of computer operating systems and applications, coded algorithms to identify and extract nuggets of intelligence from massive data sets, evaluated commercially available executables and assisted in the determination of their security, and researched error correction and its use in specific hardware devices.

Mr. McWhorter has worked toward his doctorate in mathematics at the University of North Carolina. He has a Masterís of Science in mathematics from the University of Cincinnati, and a Bachelors of Science in mathematics from Mount Union College (with minors in Physics, Astronomy, and Secondary Education). Mr. McWhorter has thousands of hours of classroom experience, he has published and presented on numerous technical topics internal to the National Security Agency (NSA), and he has presented at several technical conferences. Mr. McWhorter currently holds an active Top Secret government security clearance.

Super Early:
Ends Apr 1

Ends May 15

Ends Jun 15

Ends Jul 23