This course is not currently offered by Global Knowledge. Information here is provided for reference only.

As the sophistication of malicious attacks and the threats caused by them continue to increase, Mandiant has raised the bar of effective detection, response, and remediation with our Incident Response class. Designed specifically for information security professionals and analysts who respond to computer security incidents, this 4-day course uses case studies and hands-on lab exercises to reinforce each topic area.

What You'll Learn

• Phases and activities of the Incident Response process
• Rapidly detect or confirm attacks against Windows/UNIX systems
• Perform live response on compromised Windows/UNIX systems
• Collect the volatile evidence present on a live system prior to the system being powered down
• Determine the function of unidentified executable processes
• Recover deleted files from Kernel memory on UNIX systems
• How to dump the memory associated with suspicious processes
• Detect loadable kernel modules, rootkits, and trojaned files
• Steps involved in the creation of a secure Incident Response toolkit
• Characteristics of differing UNIX & Linux rootkits, including those which replace userland applications, loadable kernel modules, and direct memory alteration examples
• Collect and post process critical logs and volatile information from UNIX and Microsoft environments with Log Parser
• Find hidden files and export protected files such as hiberfil.sys and pagefile.sys from Windows systems with FTK imager

Who Needs to Attend

Information technology staff, information security staff, corporate investigators, or other staff that have a need to perform Incident Response or investigate suspect network and systems use/misuse.

Prerequisites

Basic understanding of TCP/IP networks and some familiarity with Windows and UNIX systems; Familiarity with computer security terminology and concepts is helpful.

Follow-On Courses

There are no follow-ons for this course.

Course Outline

DAY 1

1. Intro

2. Case Study

• Recent incident from initial incident discovery to the investigative process used to identify probable cause and incident conclusion

3. The Incident Response Process

• Definition of an incident and remediation steps
• Differences between Live and Forensic response approaches
• Use a forensic workstation to collect text and binary data during information collection stage of a live response
• Proper evidence handling steps
• Live collection of Windows event logs and post collection filtering (Log Parser)
• Find network-based compromise indicators using Snort and Linux netfilter output

4. Introduction to Malware Analysis

• Create "safe and sanemalware investigative systems using VMware
• Investigative "shortcutsto determine nature of malware found on Windows systems
• Identify malware "armoringutilities and determine tools used to revert "armoredmalware to its original state

DAY 2

1. Windows Incident Response

• Use the tools and processes presented to perform volatile data collection such as process related data, network connections and other data which may be of interest
• Build your own automated Live Response script
• Perform filesystem timestamp analysis to identify potentially "linkeditems throughout the filesystem
• Acquire process memory from suspicious binaries running in the Windows operating system
• Examine the process memory to determine what clues may exist within the process dumps
• Layers within which the operating system and "userlandapplications run
• Install and hide a typical keystroke logger using a widely used Windows rootkit
• Rootkit detection tools and methods
• Log parser and analysis
• Major Windows exercise

DAY 3

1. Unix Incident Response

• Use the tools and processes presented in order to perform volatile data collection such as process related data, network connections and associated data, etc.
• Semi- or non-volatile data collection and analysis, including the typical logs available in the UNIX environment
• Build your own automated Live Response script
• Perform filesystem timestamp analysis to identify potentially "linkeditems throughout the file system
• Recover deleted processes from running Kernel memory on UNIX systems
• Layers within which the operating system and "userlandapplications operate within Linux
• Examples of typical Linux rootkits
• Log parser and analysis
• Major UNIX exercise

DAY 4

1. Introduction to Network Monitoring

• Monitor your network for additional signs of comprise using information gained during the Incident Response process

2. Introduction to Computer Forensics

• Use common UNIX utilities to create bit-for-bit images of a USB device
• Collection validation techniques, including the use of file "fingerprintingutilities such as MD5sum
• Find hidden files and export protected files such as hiberfil.sys and pagefile.sys with FTK imager

3. Major Final Exercise

• Presented with a "livecompromised system (frozen in a state of compromise within VMware), perform Live Response to determine the scope and nature of the compromise using a trusted incident response kit contained within a CDROM ISO image
• Pre-captured Live Response data will also be made available to facilitate completion of this module

Labs

Lab 1: Exploitation Frameworks

Lab 2: Trusted Response Kit Creation

Lab 3: Windows Incident Response

Lab 4: Linux Incident Response

Lab 5: Log Parser Analysis

Lab 6: Windows Memory Analysis

Lab 7: FTK

Lab 8: How to Automate Live Response Data Collection

Lab 9: Windows Rootkits

Lab 10: Windows Malware Analysis

Lab 11: Intro to Network Monitoring

Lab 12: UNIX Rootkits

Lab 13: Final Exercise