Computer Forensics and Incident Response

Scheduled Dates (sort by: location | date)

Course Overview

The threat of computer crime against an organisation's infrastructure has grown significantly. Abuse, fraud and criminal activity can occur internally as well as from outside sources. Every crime leaves behind clues, and with the proper use of forensic techniques, you can uncover illicit activity and recover lost data.

In this course, you gain experience in the latest Windows-based computer forensic techniques to recognise and respond to security threats. You also learn to identify and retrieve hidden information.

Audience

This course is valuable for systems administrators and those involved in responding to security incidents. Knowledge of Windows-based PCs, including hardware and operating system software, at the level of Course 551, " Windows XP Professional Introduction ", is assumed.

Skills Gained

• Implement a computer forensics incident-response strategy
• Lead a successful investigation from the initial response to completion
• Conduct disk-based analysis and recover deleted files
• Identify information-hiding techniques
• Reconstruct user activity from e-mail, temporary Internet files and cached data
• Assess the integrity of system memory and process architecture to reveal malicious code

Course Outline

Introduction to Computer Forensics

• Responding to incidents
• Applying forensic analysis skills
• Distinguishing between unpermitted corporate and criminal activity

Handling Preliminary Investigations

Planning for incident response

• Communicating with site personnel
• Knowing your organisation's policies
• Minimising impact on your organisation

Identifying the incident life cycle

• Performing incident analysis
• Restoring systems
• Capturing volatile information

Controlling an Investigation

Collecting digital evidence

• Chain of custody and process integrity
• Advantages of the forensics analysis team

Legal aspects of acquiring evidence

• Securing and documenting the scene
• Processing and logging evidence

Conducting Disk-Based Analysis

Forensics lab operations

• Acquiring a bit-stream image
• Enabling a write blocker
• Establishing a baseline
• Physically protecting the media

Disk structure and recovery techniques

• Disk geometry components
• Inspecting Windows file system architectures
• Locating and restoring deleted content

Investigating Information-Hiding Techniques

Uncovering hidden information

• Scanning and evaluating alternate data streams
• Executing code from a stream
• Steganography tools and concepts
• Detecting steganography
• Scavenging slack space

Inspecting header signatures and file mangling

• Combining files
• Binding multiple executable files
• File time analysis

Scrutinising E-mail

Investigating the mail client

• Interpreting e-mail headers
• Recovering deleted e-mails

Validating e-mail header information

• Detecting spoofed e-mail
• Verifying e-mail routing

Tracing Internet Access

Inspecting browser cache and history files

• Exploring temporary Internet files
• Researching cookie storage
• Reconstructing cleared browser history

Auditing Internet surfing

• Tracking user activity
• Uncovering unauthorised usage

Searching Memory in Real Time

Comparing the architecture of processes

• Identifying user and kernel memory
• Inspecting threads
• Discovering rogue DLLs and drivers

Employing advanced process analysis methods

• Evaluating processes with Windows Management Instrumentation (WMI)
• Walking dependency trees

Auditing processes and services

• Investigating the process table
• Discovering evidence in the Registry
• Deploying and detecting a root kit

Implementing covert surveillance techniques

• Logging key strokes
• Observing real-time remote desktops
• Monitoring Internet access

Computer Forensics and Incident Response / 536