Cyberforensic rapid response
This training allows people to quickly grasp all the possibilities available for a SysAdmin to investigate after an incident.
The Cyber Forensics Rapid Response (CFRR) training program is a 2-week course that provides detailed study of evidence on intrusions and malware incidents in computers and networks. At the conclusion of this course, students will have a clear understanding of responding to, and managing, intrusions and malware incidents, which artifacts are left during these incidents, and how knowledge of these artifacts plays a significant role in the forensic and investigative processes.
Through presentations, instructor-led hands-on practical exercises, and laboratory activities, students will learn how to find, identify and respond to malware on Windows and Linux operating systems and on network devices, focusing on identifying intrusion and malware artifacts. The first week focuses the network level, analyzing a variety of logs, investigating network traffic captures and conducting drive analysis across a network in diverse scenarios. The second week focuses on intrusion and malware artifacts on Windows and Linux hosts, including RAM capture and analysis, and malware analysis.
The CFRR Training Program is not an entry level class. Prospective students are expected to be proficient with basic forensic concepts and tools. Students should be competent with the use of virtualization software (VMWare, Virtualbox, etc.) and - since portions of the analysis are conducted with Linux VMs -, students should have some experience with basic Linux commands (ls, mkdir, etc. Advanced commands will be explained and practiced during the course.) Students will be provided analysis platforms but must bring their own Windows 7, 8 or 10 VM.
|8:00||Introduction||Network Services||Linux for Log Analysis||Remote Imaging||Regulatory Frameworks/Legal|
|9:00||Network Theory||Microsoft Networks||Linux for Log Analysis||Remote Imaging||CSIRP|
|10:00||Network Theory||Networks Lab||Linux for Log Analysis||Remote Imaging||Scenario 1|
|11:00||Network Theory||Highlighter for Logs||Linux for Log Analysis||EnCase for Networks||Scenario 1|
|13:00||Network Theory||Wireshark||Linux for Log Analysis||NDB for Networks||Electronic Crime Scene|
|14:00||Network Theory||Wireshark||Linux for Log Analysis||Network assessment||Scenario 2|
|15:00||Network Topology||Wireshark||Linux for Log Analysis||Network Assessment||Scenario 2|
|16:00||Network Topology||Wireshark||Linux for Log Analysis||Network Assessment||Scenario 2|
|DAY||Monday (Windows)||Tuesday (Linux)||Wednesday (RAM)||Thursday (Malware)||Friday|
|8:00||ELEX (evt analysis)||Linux Overview||RAM Architecture||Rapid Response||Scenario 3|
|9:00||LogParser||Linux Overview||RAM Architecture||Rapid Response||Scenario 3|
|10:00||LogParser||Linux Analysis||RAM Capture||Rapid Response||Scenario 3|
|11:00||Windows Analysis||Linux Analysis||BulkExtractor||Rapid Response||Scenario 3|
|13:00||Windows Analysis||Linux Analysis||RAM Analysis Volatility||Dynamic Malware||Scenario 3|
|14:00||Windows Analysis||Linux Analysis||RAM Analysis Volatility||Dynamic Malware||Scenario 3|
|15:00||Windows Analysis||Linux Analysis||RAM Analysis Volatility||Dynamic Malware||Scenario 3|
|16:00||Windows Analysis||Linux Analysis||RAM Analysis Volatility||Dynamic Malware||Scenario 3|