Incident Handling and IT Forensics in Companies
This training course will introduce current methods of incident response, incident handling and IT forensics.
Before a forensic investigation can take place, the incident first has to be identified as such. This is followed by a direct reaction in the form of incident response. It tries to capture the incident and process it for the subsequent forensic investigation. The ISO 27035 standard provides a guideline for the detection and handling of security incidents.
The training will first deal with the possibilities to detect security incidents. We will then show you how to ensure a systematic approach based on the ISO 27035 standard.
Building on this, we will use example cases to explain in detail the correct procedure in case a hacker intrusion, data abuse, data theft or data deletion is suspected or in case of unauthorized use of corporate communication options. Using exercises on a provided laptop allows each participant to learn to search for traces in IT systems as well as to secure and interpret them properly. Each participant is provided with different tools to perform a live analysis. For dead analysis, besides the freely available tools, commercially established products are presented as well.
Live analysis focuses on the collection and the analysis of volatile data from running systems. This includes looking at kernel components, at the network status and at the main memory, while also considering the virtual memory of individual processes. Contrary to the well-known methods of hard-disk analysis, advanced methods are used at this for gathering information. These aim at identifying both malware (worms, Trojans, etc.) and kernel rootkits, reproducing code-injection attacks or generally extracting data directly from the memory (images, documents, etc.).
Dead analysis focuses on the collection and the analysis of persistent data. The participants will become familiar with the creation of hard-disk images, the evaluation of file system meta data, the handling of various file systems (NTFS, ext3, etc.), the recovery of deleted data and the evaluation of log files.
In the field of SQL forensics, we will show techniques to analyze and evaluate security incidents on database systems. This involves presenting objects and artefacts which can then be used in the course of the forensic investigation. The exercises are performed on an exemplary Microsoft SQL server. For instance, the following questions are addressed:
After completing the training, the participants will be able to recognize and understand the tracks of an intruder. They will know how to respond in the event of a system intrusion and the requirements that have to be met regarding the legally unassailable collection, storage and evaluation of digital traces as evidence.
Topic areas:
Tools covered: Both open-source and commercial tools
Operating systems covered: Windows, Linux, Unix
Target group:
Administrators, security managers, CERTs, company investigators
Prerequisites:
Good knowledge of Windows, Linux or Unix. Knowledge of attacking possibilities and hacking techniques is an advantage. Having attended the “Hacking Extreme” training would be an asset.
The training is conducted in German by an experienced trainer. The cirosec trainers work as consultants, which allows them to contribute with extensive and up-to-date practical experience.
This training will be held in German.
You will get CPE points for participating in the Forensics Extreme training. The training takes 24 hours. You will get a certificate after having completed the training.
Dates:
on request
We may gladly offer you the course in form of an in-house training.
Managing Consultant
Partner and Co-Founder
3 days
On request
On request