WINDOWS FORENSICS and INCIDENT RECOVERY SERIES

Windows Incident Response, Level 1 (Introductory Level)

Overview

This intensive two-day, hands-on course will show you how to prepare for, identify and verify computer security incidents on Windows systems. This course will show you how to configure Windows systems to protect them against compromise, and how to collect and analyze information from systems that may have been compromised or the subject of a security incident in some way.

This course focuses on the use of freeware tools in all hands-on exercises conducted throughout the two days. This allows you to learn the underlying concepts through hands-on use of the tools, so that you can evaluate and select the appropriate tool for your environment.

You will benefit from the fact that much of the material presented is unique to the course. No other course available covers the information presented in this course, in the detail addressed in this course. Topics such as NTFS alternate data streams, Registry key LastWrite times, and Windows rootkits are addressed in detail in this course.

The course makes extensive use of hands-on, interactive exercises so that you will leave having performed many of the techniques presented.

You will receive a copy of "Windows Forensics and Incident Recovery" when you attend this course.

Who should attend:

This course is a must-have for Windows system administrators and IT managers, as well as security consultants. Anyone who has responsibility for Windows systems will benefit greatly from the material presented in this course. Law enforcement personnel dealing with Windows systems will also benefit from this information. Anyone attending the course will gain a deeper technical understanding of Windows systems.

What you will learn:
The course covers the following topics:
Day 1

• The Basics of the Incident Response Process
  • Basic concepts
  • Every infrastructure is different
  • Locard's Exchange Principle in the digital realm
  • Principle of Least Privilege
  • Incidents are easy - "Push button" tools, readily available exploits and lack of security make compromising systems easy
  • Types/categories of incidents

• Incident Preparation
  • Basic network mapping - Define the perimeter, ingress/egress points, identify critical assets, etc.
  • System hardening and configuration - Identify the components of system security, and how to configure them to meet the needs of the environment.
  • Assessing and monitoring your network - Use of monitoring tools and vulnerability assessment tools (freeware)
  • Password cracking

• Data Hiding
  • How data is hidden on a live Windows system
  • File attributes
  • NTFS Alternate Data Streams
  • Obfuscating and hiding files and malware - Compressors, packers, binders
  • Hiding data via OLE structured storage
  • DLL Injection and Rootkits

Day 2

• Data Collection and Analysis
  • What data do you want to collect and why
  • What tools to use
  • How to get the data off of the system
  • Analyzing the data - Understanding what the data tells you
  • How to use the data to make solid decisions
  • Locating "hidden" malware, keyloggers, sniffers, etc.