This course is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and are seeking to expand their knowledge on advanced forensics and incident response techniques as well as improve computer investigations in relation to incident response.
What to Expect
Hear directly from Hoyt Harness, Forensic Trainer at Magnet Forensics, about why you should take our Magnet AXIOM Incident Response Examinations (AX310) course, what you can expect when you take it, and what type of real-life experience he brings to the classroom.
Because AX310 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the Incident Response part of investigations in AX310. Click Here to find out more about AX200.
MODULE 1: INTRODUCTION AND INSTALLATION OF MAGNET AXIOM
- An introduction to the other students, the instructor(s) and Magnet AXIOM.
- The functionality of AXIOM will be discussed, and the module will conclude with hands-on exercises during which participants will install AXIOM and learn about its associated programmatic components: AXIOM Process and AXIOM Examine.
MODULE 2: COURSE OVERVIEW
- An overview of the course will be presented along with the learning objectives and expected outcomes for the four-day training event.
- Evidence files will be presented and the scenario in which this course of instruction will follow – including the two main players in this scenario who may or may not have been complicit in the malware introduction.
MODULE 3: MALWARE OVERVIEW
- Malware will be focused on, specifically, the footprints left behind from it, its common behavior, and what Windows is doing to stop it. Malware is dynamic and with each version of Windows that approaches, malware authors will have to take also change.
MODULE 4: PACKET CAPTURES (PCAP)
- Network traffic is sometimes key to understanding how malware arrived into the network and how the malware allows nefarious actors to travel through the network.
- Learn how to capture, filter, and analyze network traffic to track down network intrusions and perform network forensics.
- Also learn about Wireshark and understand what a packet sniffer and protocol analyzer is.
MODULE 5: INCIDENT RESPONSE TOOLKIT
- The concepts of volatile data collection from a running computer consists of more than just RAM collection.
- Learn the necessity of collecting volatile data from a suspect computer and use the output to determine a starting point for the examination while the forensic images are being processed by AXIOM.
- Compare the output from volatile data collected from a running computer against the forensic image to locate root-kits and hidden malware.
MODULE 6: RAM
- Parse RAM from a computer involved in a malware incident and determine what programs were running and from what location.
- Investigate the malware to determine what computer user was associated with it. From RAM, recover if there were any network connections or established listening ports from where the malware could communicate.
- Learn how PCAP exists in RAM and how to export PCAP from RAM.
- Gain an understanding on how to process PCAP files from RAM to assist in the forensic examination.
MODULE 7: STATIC ANALYSIS OF MALWARE
- Set up and learn how to utilize virtual machine technology and Kali Linux to leverage good forensic practices and intrusion detection methodologies to infect a computer and examine the results and behavior of the malware.
- Learn how to set up the virtual network to ensure the malware cannot escape into the wild or laterally spread and the good forensic process of examining malware designed for one operating system in a separate operating system to keep it from activating.
MODULE 8: DYNAMIC ANALYSIS OF MALWARE
- Setup a Windows computer similar to the OS from the suspect computer and activate the extracted malware in a controlled environment (sandbox) and monitor the activity of the malware. In order to see the malware extracted from a forensic image of hard drive, this process gives the examiner the ability to determine what remote hosts the malware wants to communicate with and other actions on the computer in a safe manner. Utilizing previously learned methodologies, participants will capture the traffic of the malware live in its environment and utilize that information in the furtherance of the investigation.
MODULE 9: WRAPPING UP THE INVESTIGATION
- Put all of the pieces or this malware puzzle together in order to get ready to report on the findings of their investigation.
- Learning the artifact-first approach of AXIOM, students will examine Prefetch, SRUM, AMCACHE, JUMPLISTS, LNK Files, Recent file/folders, SHIMCACHE, MUICACHE, User Assist, and Windows event logs to aid in telling the malware story.
MODULE 10: FINALIZING THE INVESTIGATION
- Learn how to put all the pieces of the investigation together through the correlation of all the data collected during the preceding modules.
- Correlate the data recovered from the volatile collection using the incident response toolkit with the artifacts recovered from the evidence files of the computers in question and the PCAP files recovered from RAM and the network monitoring tools.
- Extract information from the firewall settings in Windows to determine if there is a hole in the firewall for the malware to communicate. By utilizing the $Logfile students will be able to determine if the malware files were renamed, moved, or deleted and if so when.
MODULE 11: CUMULATIVE REVIEW EXERCISE
- Throughout the four-day training event, instructor-led and student practical exercises are used to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize the material taught and Magnet AXIOM in their investigative workflow.
- To further reinforce the instructional goals of the course, students are presented with a final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the previous modules.