Forensics Extreme

Once a security incident is identified as such, it is followed by a direct reaction in the form of incident response, which tries to capture the incident and process it for the subsequent forensic investigation. The ISO 27035 standard provides a guideline for the detection and handling of security incidents.

First, we will discuss the possibilities to detect security incidents. Then, we will show you how to ensure a systematic approach based in the ISO 27035 standard.

Building on this, we will use example cases to explain in detail the correct procedure in case a hacker intrusion, data abuse, data theft or data deletion is suspected or in case of unauthorized use of corporate communication options. Exercises on a provided laptop allow each participant to learn how to search for traces in IT sytems as well as how to secure and interpret them properly. Each participant is provided with different tools to perform a live analysis. For dead analysis, besides the freely available tools, commercially established products are presented as well.

Live analysis focuses on the collection and the analysis of volatile data from running systems. This includes looking at kernel components, at the network status and at the main memory, while also considering the virtual memory of individual processes. Contrary to the well-known methods of hard-disk analysis, advanced methods are used at this for gathering information. These aim at identifying both malware (worms, Trojans, etc.) and kernel rootkits, reproducing code-injection attacks or generally extracting data directly from the memory (images, documents, etc.).

Dead analysis focuses on the collection and the analysis of persistent data. The participants will become familiar with the creation of hard-disk images, the evaluation of file system meta data, the handling of various file systems (NTFS, ext3, etc.), the recovery of deleted data and the evaluation of log files.

In the field of SQL forensics, we will show techniques to analyze and evaluate security incidents on database systems. This involves presenting objects and artefacts which can then be used in the course of the forensic investigation. The exercises are performed on an exemplary Microsoft SQL server. For instance, the following questions are addressed:

• Has unauthorized access to the database taken place?
• What data has been accessed?
• Have data records been manipulated?
• Is it possible to restore deleted data?

After completing the training, the participants will be able to recognize and understand the tracks of an intruder. They will know how to establish an incident response process within their company and which requirements have to be met regarding the legally unassailable collection, storage and evaluation of digital traces as evidence.

Topic areas:

• ISO 27035 standard as a guideline for incident response
• Prerequisites for incident response
• Organizational conditions for incident response
• Incident handling process
• Collect and preserve volatile data
• Collect and preserve persistent data
• Evaluate the gathered data
• Hash databases
• Carving
• Targeted search for terms
• Extract and analyze timestamps
• Extract and analyze log files
• Description of different anti-forensics techniques
• Main memory and process memory analysis
• Find and disable rootkits
• SQL forensics
• etc.

Tools covered: Both open-source and commercial tools

Operating systems covered: Windows, Linux, Unix 

Target group:
Administrators, security managers, CERTs, company investigators 

Requirements
Good knowledge of Windows, Linux or Unix. Knowledge of attacking possibilities and hacking techniques is of advantage, as is having attended the “Hacking Extreme” training.

The cirosec trainers work as consultants and can thus complement the course with comprehensive and recent practical experience.

You will get CPE points for participating in the Forensics Extreme training. The training takes 24 hours. You will get a certificate after having completed the training.

Dates:
on request

We also gladly offer you the course as an in-house training.