Incident Response & Computer Forensics

Incident Response & Computer Forensics

Course Code : 102

Workshop : Training

Duration : 4 days Training Course

COURSE OUTLINE

The threat of computer crime against an organization's infrastructure has grown exponentially. Abuse, fraud and criminal activity can occur internally as well as from an outside source. Every crime leaves behind clues, and with the proper use of forensic techniques, you can uncover illicit activity and recover lost data. After completing this course, you will be able to learn the following:

· Implement a computer forensics incident response strategy

· Lead a successful investigation from the response to completion

· Recover deleted files and discover hidden information

· Reconstruct user activity from e-mail, temporary Internet files and cached data

· Assess the integrity of system memory and process architecture to reveal malicious code

· Address key aspects of forensics lab maintenance

COURSE OBJECTIVES

In this course, you gain experience in the latest Windows-based computer forensic techniques to recognize and respond to security threats. You also learn to identify and retrieve hidden information.

TARGET AUDIENCE

This course is valuable for systems administrators and those involved in responding to security incidents. Knowledge of Windows-based PCs, including hardware and operating system software.

 

 

 

 

COURSE CONTENTS

INTRODUCTION TO COMPUTER FORENSICS

· Responding to incidents

· Applying forensic analysis skills

· Distinguishing between corporate and criminal activity

·

DEVELOPING INCIDENT AWARENESS

Planning for incident response

· Communicating with site personnel

· Knowing your organization's policies

Preliminary investigation

· Minimizing impact on your organization

· Passive/active host analysis

·

CONTROLLING AN INVESTIGATION

Chain of custody

· Collecting digital evidence

· Identifying the forensics analysis team

Legal aspects of acquiring evidence

· Securing and documenting the scene

· Processing evidence

Inventory and documentation

· Creating the evidence log

· Maintaining process integrity

·

CONDUCTING DISK-BASED ANALYSIS

Forensics lab operations

· Acquiring a bit-stream image

· Establishing a baseline

· Physically protecting the media

Disk structure and recovery techniques

· Disk geometry components

· Inspecting Windows file system architectures

· Locating deleted content

Uncovering hidden information

· Evaluating alternate data streams

· Steganography tools and concepts

· Scavenging slack space

· Exploring header content and file mangling

·

SCRUTINIZING E-MAIL

Investigating the mail client

· Interpreting e-mail headers

· Recovering deleted e-mails

Probing the mail server

· Examining the information store

· Recognizing spoofed DNS

TRACING INTERNET ACCESS

Inspecting browser cache and history files

· Exploring temporary Internet files and offline content

· Researching cookie storage

· Exposing hidden browser activity

Reconstructing Web server activity

· Verifying IIS and FTP log files

· Uncovering file system activities in NTFS journal

·

SEARCHING MEMORY IN REAL TIME

Comparing process architectures

· Identifying user and kernel memory

· Verifying address space

· Inspecting threads

Deploying advanced process analysis methods

· Evaluating processes with Windows Management Instrumentation (WMI)

· Walking dependency trees

Auditing processes and services

· Interpreting trace logs

· Reconstructing the process table

· Discovering evidence in the Registry

· Deploying and detecting a root kit

·

Implementing covert surveillance techniques

· Logging key strokes

· Observing real-time remote desktops

· Creating workspace snapshots

·

MAINTAINING A FORENSICS LAB

Identifying hardware and software requirements

· Enabling a write blocker

· Scrubbing disks

Validating forensic tools

· Constructing a test disk

· Confirming tool integrity