Forensics ExtremeForensics Extreme

Forensics Extreme

Incident Handling and IT Forensics in Companies

Instructors:
 cirosec consultants

Duration: 3 days

Content:
This training course will introduce current methods of incident response, incident handling and IT forensics.

Before a forensic investigation can take place, the incident first has to be identified as such. This is followed by a direct reaction in the form of incident response. It tries to capture the incident and process it for the subsequent forensic investigation. The ISO 27035 standard provides a guideline for the detection and handling of security incidents.

The training will first deal with the possibilities to detect security incidents. We will then show you how to ensure a systematic approach based on the ISO 27035 standard.

Building on this, we will use example cases to explain in detail the correct procedure in case a hacker intrusion, data abuse, data theft or data deletion is suspected or in case of unauthorized use of corporate communication options. Using exercises on a provided laptop allows each participant to learn to search for traces in IT systems as well as to secure and interpret them properly. Each participant is provided with different tools to perform a live analysis. For dead analysis, besides the freely available tools, commercially established products are presented as well.

Live analysis focuses on the collection and the analysis of volatile data from running systems. This includes looking at kernel components, at the network status and at the main memory, while also considering the virtual memory of individual processes. Contrary to the well-known methods of hard-disk analysis, advanced methods are used at this for gathering information. These aim at identifying both malware (worms, Trojans, etc.) and kernel rootkits, reproducing code-injection attacks or generally extracting data directly from the memory (images, documents, etc.).

Dead analysis focuses on the collection and the analysis of persistent data. The participants will become familiar with the creation of hard-disk images, the evaluation of file system meta data, the handling of various file systems (NTFS, ext3, etc.), the recovery of deleted data and the evaluation of log files.

In the field of SQL forensics, we will show techniques to analyze and evaluate security incidents on database systems. This involves presenting objects and artefacts which can then be used in the course of the forensic investigation. The exercises are performed on an exemplary Microsoft SQL server. For instance, the following questions are addressed:

  • Has unauthorized access to the database taken place?
  • What data has been accessed?
  • Have data records been manipulated?
  • Is it possible to restore deleted data?

After completing the training, the participants will be able to recognize and understand the tracks of an intruder. They will know how to respond in the event of a system intrusion and the requirements that have to be met regarding the legally unassailable collection, storage and evaluation of digital traces as evidence. 

Topic areas:

  • ISO 27035 Standard as a Guideline for Incident Response
  • Prerequisites for Incident Response
  • Organizational Conditions for Incident Response
  • Incident Handling Process
  • Collect and preserve volatile data
  • Collect and preserve persistent data
  • Evaluate the gathered data
  • Hash databases
  • Carving
  • Targeted search for terms
  • Extract and analyze timestamps
  • Extract and analyze log files
  • Description of different anti-forensics techniques
  • Main memory and process memory analysis
  • Find and disable rootkits
  • SQL forensics
  • etc.

Tools covered: Both open-source and commercial tools

Operating systems covered: Windows, Linux, Unix 

Target group:
Administrators, security managers, CERTs, company investigators 

Prerequisites:
Good knowledge of Windows, Linux or Unix. Knowledge of attacking possibilities and hacking techniques is an advantage. Having attended the "Hacking Extreme" training would be an asset.

Price: On request

The training is conducted in German by an experienced trainer. The cirosec trainers work as consultants, which allows them to contribute with extensive and up-to-date practical experience.

This training will be held in German.

You will get CPE points for participating in the Forensics Extreme training. The training takes 24 hours. You will get a certificate after having completed the training.

Dates:
on request

We may gladly offer you the course in form of an in-house training.

What previous participants say:
"An excellent introduction to IT forensics. An adequate level to make the topic easy to understand.”
Frank Gebert, Wüstenrot & Württembergische AG

"Ideal for decision makers in information security with technical background.”
Martin Intemann, RWE Dea AG

Your trainers

Marco Lorenz

Joshua Tiago