Search
TRAININGS

Forensics Extreme

Incident Handling and IT Forensics in Companies

This training course will introduce current methods of incident response, incident handling and IT forensics.

Training Content

Before a forensic investigation can take place, the incident first has to be identified as such. This is followed by a direct reaction in the form of incident response. It tries to capture the incident and process it for the subsequent forensic investigation. The ISO 27035 standard provides a guideline for the detection and handling of security incidents.

The training will first deal with the possibilities to detect security incidents. We will then show you how to ensure a systematic approach based on the ISO 27035 standard.

Building on this, we will use example cases to explain in detail the correct procedure in case a hacker intrusion, data abuse, data theft or data deletion is suspected or in case of unauthorized use of corporate communication options. Using exercises on a provided laptop allows each participant to learn to search for traces in IT systems as well as to secure and interpret them properly. Each participant is provided with different tools to perform a live analysis. For dead analysis, besides the freely available tools, commercially established products are presented as well.

Live analysis focuses on the collection and the analysis of volatile data from running systems. This includes looking at kernel components, at the network status and at the main memory, while also considering the virtual memory of individual processes. Contrary to the well-known methods of hard-disk analysis, advanced methods are used at this for gathering information. These aim at identifying both malware (worms, Trojans, etc.) and kernel rootkits, reproducing code-injection attacks or generally extracting data directly from the memory (images, documents, etc.).

Dead analysis focuses on the collection and the analysis of persistent data. The participants will become familiar with the creation of hard-disk images, the evaluation of file system meta data, the handling of various file systems (NTFS, ext3, etc.), the recovery of deleted data and the evaluation of log files.

In the field of SQL forensics, we will show techniques to analyze and evaluate security incidents on database systems. This involves presenting objects and artefacts which can then be used in the course of the forensic investigation. The exercises are performed on an exemplary Microsoft SQL server. For instance, the following questions are addressed:

  • Has unauthorized access to the database taken place?
  • What data has been accessed?
  • Have data records been manipulated?
  • Is it possible to restore deleted data?

After completing the training, the participants will be able to recognize and understand the tracks of an intruder. They will know how to respond in the event of a system intrusion and the requirements that have to be met regarding the legally unassailable collection, storage and evaluation of digital traces as evidence. 

Topic areas:

  • ISO 27035 Standard as a Guideline for Incident Response
  • Prerequisites for Incident Response
  • Organizational Conditions for Incident Response
  • Incident Handling Process
  • Collect and preserve volatile data
  • Collect and preserve persistent data
  • Evaluate the gathered data
  • Hash databases
  • Carving
  • Targeted search for terms
  • Extract and analyze timestamps
  • Extract and analyze log files
  • Description of different anti-forensics techniques
  • Main memory and process memory analysis
  • Find and disable rootkits
  • SQL forensics
  • etc.

Tools covered: Both open-source and commercial tools

Operating systems covered: Windows, Linux, Unix 

Target group:
Administrators, security managers, CERTs, company investigators 

Prerequisites:
Good knowledge of Windows, Linux or Unix. Knowledge of attacking possibilities and hacking techniques is an advantage. Having attended the “Hacking Extreme” training would be an asset.

The training is conducted in German by an experienced trainer. The cirosec trainers work as consultants, which allows them to contribute with extensive and up-to-date practical experience.

This training will be held in German.

You will get CPE points for participating in the Forensics Extreme training. The training takes 24 hours. You will get a certificate after having completed the training.

Dates:
on request

We may gladly offer you the course in form of an in-house training.

Your Trainers

Joshua Tiago

Managing Consultant

Marco Lorenz

Partner and Co-Founder

Duration

3 days

Dates

On request

Price

On request

What previous participants say

Frank Gebert
Frank GebertWüstenrot & Württembergische AG
Read More
An excellent introduction to IT forensics. An adequate level to make the topic easy to understand.
Martin Intemann
Martin IntemannRWE Dea AG
Read More
Ideal for decision makers in information security with technical background.

Your Contact Person

Do you want to protect your systems? Get in touch with us.
Search
Search