On This Page

Digital Forensics & Incident Response

Andrew Case & Jamie Levy | August 1-4



Overview

Digital forensics and incident response are two of the most critical fields in all of information security. The staggering number of reported breaches in the last several years has shown that the ability to rapidly respond to attacks is a vital capability for all organizations. Unfortunately, the standard IT staff member is simply unable to effectively respond to security incidents. Successful handling of these situations requires specific training in a number of deeply technical areas including file systems, operating system design, and knowledge of possible network and host attack vectors.

During this training, students will learn both the theory around digital forensics and incident response as well as gain valuable hands-on experience with the same types of evidence and situations they will see in real-world investigations. The class is structured so that a specific analysis technique is discussed and then the students immediately analyze staged evidence using their newly gained knowledge. Not only does this approach reinforce the material learned, but it also gives the investigator a number of new skills as the course proceeds.

This course, which has been offered to a wide range of students for several years, has been recently updated with new analysis techniques, seven new labs, and full coverage of Windows 8 forensics. Upon completion of the training, students will be able to effectively preserve and analyze a large number of digital evidence sources, including both on-disk and in-memory data, using the latest and most effective forensics tools and techniques. These skills will be immediately usable in a number of investigative scenarios, and will greatly enhance even experienced investigators' skillset. Students will also leave with media that contains all the tools and resources used throughout the training.

Outline:

Day 1
  • Overview, high-level discussion of forensics capabilities
  • Forensics imaging and legal considerations
  • Filesystem theory and analysis
    1. FAT
    2. ExFAT
    3. NTFS
  • Disk Forensics with Autopsy
  • Deleted File Recovery
  • Browser Activity Analysis
    1. Internet Explorer
    2. Firefox
    3. Chrome
  • Recycle Bin Analysis
  • LNK File & Jump List Analysis

Day 2
  • Application Analysis
  • Windows Registry Analysis
  • Windows Backup Facilities
    1. System Restore Point
    2. Volume Shadow Service
    3. File History
  • Event Log Forensics
  • Office Metadata Examination
  • Picture Forensics

Day 3
  • Email Forensics
    1. Outlook/PST
    2. Exchange
    3. Web mail (Gmail, Yahoo)
  • IIS Forensics Analysis
  • MSSQL Forensics Analysis
  • Timelining
  • Detecting and Defeating Anti-Forensics

Day 4
  • Overview of Memory Forensics
  • Windows Memory Acquisition
  • Windows Memory Analysis with Volatility
  • Final Investigation
  • Wrap up and Conclusion

Who Should Take this Course

Network and systems administrators, digital forensics staff, incident response handlers, SOC team members, and managers in the IT and IT security realm

Student Requirements

The course assumes previous forensics knowledge equivalent to that of a junior investigator. Systems administrators and other IT staff often have these skills even if they were never applied to forensics. The hands-on exercises are designed to provide a learning experience to investigators of all skill levels (there will be different objectives based on previous skill-set). Scripting experience (python, perl, ruby, etc.) will be helpful to automate the analysis and reporting of results from the exercises.

What Students Should Bring

Hardware:

  • Laptop with the following minimum specifications:
  1. 2.0 GHz, multi-core CPU
  2. 4 GB of RAM
  3. 20 GB of disk space
  4. USB 2.0/3.0 ports
  5. Wireless Network Interface Card

Software:

  • Laptops must have access to a Windows installation either as a virtual machine or on the laptop directly. VMware workstation or VMware player must be installed. VMplayer can be downloaded and used for free for purposes of this course. A PDF reader is also required. If students wish to examine evidence from their own Windows installation, they must have a decompression tool that can handle a wide variety of formats (tar, gzip, bzip, RAR, etc) installed. 7zip and Winrar meet this criteria and are free.

What Students Will Be Provided With

A USB drive with:
  1. A Linux VM setup with the needed Linux tools installed
  2. All of the lab material
  3. Select relevant reading material such as whitepapers and presentations

Trainers

Andrew Case is a senior incident response handler and malware analyst. He has conducted numerous large-scale investigations that span enterprises and industries. Andrew's previous experience includes penetration tests, source code audits, and binary analysis. Andrew is the co-developer of Registry Decoder, a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis framework. He is a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory". He has delivered trainings in the fields of digital forensics and incident response to a number of private and public organizations as well as at industry conferences. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented his research at conferences including Black Hat, RSA, SOURCE, BSides, OMFW, GFirst, and DFRWS.

Jamie Levy is a senior digital forensics investigator and incident response handler. Her prior experience includes working on various R&D projects and forensic cases at Guidance Software, Inc. Jamie has taught classes in Computer Forensics and Computer Science at Queens College (CUNY) and John Jay College (CUNY). She has an MS in Forensic Computing from John Jay College and is an avid contributor to the open source Computer Forensics community. She is an active developer on the Volatility Framework. She is also a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Jamie has authored peer-reviewed conference publications and presented at conferences (OMFW, CEIC, IEEE ICC) on the topics of memory, network, and malware forensics analysis. Additional technical articles and blog posts by Jamie can be found at http://gleeda.blogspot.com.