Digital Forensics and Incident Response (DFIR)

Gain insight into the analysis and investigation of cyberattacks on corporate networks. You will learn the procedure and to apply tools to follow-up incidents and to detect adversary actions and fully remediate a cyber incident.

There are many theoretical courses to learn from checklists. This practical training is different: You will be enabled to analyze and fend off a broad variety of cyberattacks with stat of the art methods and tools.

Learning objectives

The goal of this training is to develop a technical understanding of digital forensics in the context of typical cyber incidents. Both common procedures and the most important technical details are explained, and the knowledge is deepened by means of practical exercises and workshops.

On the last day, the course participants investigate into an incident in a specially contaminated Windows infrastructure. The aim is to put together the learned fragments and single puzzle parts into a big picture and to recognize the challenges in the analysis of cyber attacks in average corporate networks.

The course participants are thus given what is probably a unique opportunity to understand nowadays common approach of "Human Operated Ransomware". The lab exercises developed for this purpose allow for the analysis of the entry path as well as the escalation of privileges, the spreading in the network (lateral movement) and the adversary hiding of malicious code (evasion techniques) to be understood.

Demarcation: This training provides the knowledge of typical attacks on corporate networks. The content is therefore strongly focused on the Windows operating system and Windows-based networks and the associated, necessary technical details for the investigation of incidents. In-depth analysis techniques, such as those required for the investigation of malicious code or volatile memory, are not part of the course.

In addition, aspects related to cloud services and SaaS environments are delineated.

Highlights

  • Knowledge of typical attacks and mapping on the Cyber Kill Chain
  • Categorization and assistance using MITRE ATT&CK Matrix, TTPs
  • Classic disk forensics (MBR, GPTs, NTFS, MFT, Journals)
  • Relevant Windows artifacts of cyber attacks (Execution, Persistence)
  • Important Windows Event Logs (Logons, Remote Access, Credential Access)
  • Aspects of network analysis (C2 Traffic, Detection)
  • Incident handling processes and frameworks (NIST, SANS, Mandiant)
  • State of the art forensics tactics and tools (Velociraptor)
  • Investigation of a contaminated Windows domain
  • Forensic Readiness from the practical perspective
  • The exercises are completed online at www.hacking-lab.com

Target group

  • Security Officers
  • Network Administrators/Engineers
  • System Administrators (Unix/Linux/Windows)
  • Firewall Administrators/Engineers
  • Windows Active Directory Administrators
  • Level 1/2 SOC Analyst

Prerequisite

  • Good German language skills. The course will be conducted in German. 
  • Familiarity with the command line (Windows CMD/PowerShell, Linux Bash)
  • Basic knowledge of network protocols and services (DNS/TCP/IP/HTTP)
  • Basic understanding of Windows networks/domains
  • Basic understanding of cyber attacks
  • BYOD course (Microsoft Remote Desktop / Remmina required)
  • Compass provides virtual machines for the analyses