Coure Overview
Level: Introductory
Prerequisites: Basic computer skills.
This hands-on course teaches repeatable techniques for acquiring digital evidence from a live Windows system. Extracted artifacts include running processes, open files and registry keys, user accounts and logged in users, open ports and their associated processes, and the identification of hooks into the IDT or SSDT. Participants will also learn how to extract data artifacts from a physical memory image, such as e-mails, internet browsing history, chat logs, etc. Once the artifacts have been identified, participants will extract and examine suspect binaries for malicious capabilities and additional evidence.
What Will You Learn?
- How to properly image physical memory
- How to acquire (and document) other volatile system data
- Legal precedents for volatile data collection and privacy issues
- How to collect evidence locally and remotely
- How to extract artifacts from a physical memory image
- How to correlate evidence from volatile sources
- How to quickly determine the capabilities of a (possibly-malicious) binary
- How to create and use a trusted toolkit
Who Should Attend?
- Forensic Investigators
- Local, state and federal law enforcement
- IT security professionals
- System administrators and incident-handling personnel who are trying to further their knowledge in the latest forensic techniques
- Anyone who wants to understand the technical side of incident response and memory forensics
- Anyone who wants to learn how to collect evidence and analyze live Windows systems
Participants Receive
- Two full days of training
- Certificate of Attendance
- Automatic submission of CPE Class A credits for current CISSPs or SSCPs
- Credit toward HBGary certification
- CD containing a set of open source “trusted tools” to be used for collecting and analyzing physical memory and volatile system data
- CD containing all labs and exercises