Intro to Digital Forensics & Incident Response (DFIR01)
Cost
Continuing Education Credits
Duration
Formats Available


Job Target
Description
This eye-opening hands-on course provides a comprehensive overview of Digital Forensics and Incident Response (DFIR). The course starts with a review of recent incidents and how the IR and digital forensics were handled. Typical goals of IR and digital forensics are covered with an emphasis on defining what an “incident” is and the desired outcome of the incident response, based on risk and business objectives. Goals of DFIR range from placing a suspect behind a keyboard, to determining malware Indicators of Compromise (IOCs), or to merely recovering “as quickly as possible.”
The Incident Response Methodology, based on NIST (National Institute of Standards and Technology) Special Publication 800-61r2, Computer Security Incident Handling Guide, is investigated in the IR portion of this course. Each of the four primary IR Life Cycle Phases – (1) Preparation, (2) Detection & Analysis, (3) Containment, Eradication, & Recovery, and (4) Post-Incident Activity are addressed in detail, using sample incidents to facilitate class discussions. Part of Incident Response includes malware analysis and digital forensics. Each major digital forensics phase – evidence acquisition, evidence analysis, reporting, and expert witness testimony is addressed. Numerous hands-on exercises, case studies, and challenges keep attendees engaged in a CTF (Capture the Flag) atmosphere. This hands-on environment provides ample opportunities for attendees to apply and practice concepts taught in the course.
OVERVIEW
- Incident Response Overview
- Incident Response Phases
- Digital Forensics Overview
- Digital Forensics Evidence Acquisition
- Digital Forensics Evidence Analysis
- Digital Forensics Reporting
General knowledge of computer, networking, and operating system fundamentals. Some exposure to file systems and network traffic analysis is recommended.
TOPICS COVERED
- Digital Evidence Acquisition
- Chain of Custody
- Hashing
- Order of Volatility
- Memory Acquisition
- Hard Drive Acquisition
- Digital Forensics
- Reporting
- AccessDATA FTK Imager
- Slack Space
- Disk Imaging Tools
- Write Blockers
- dd and dclfdd
- Disk Image Formats
- Memory Analysis
- Network Traffic Analysis
- Volatility
- Hex Editors
- NTFS Alternate Data Streams
- Scalpel
- The Sleuth Kit
- Expert Witness
- Network Miner
- TCP/IP
- Incidents in the News
- Incident Response Methodology
- NIST 800-61
- Prevention
- Detection
- Incident Response Goals
- Incident Response Process Lifecycle
- Preparation Phase
- Detection and Analysis Phase
- Containment, Eradication, & Recovery Phase
- Post-Incident Activity (Lessons Learned) Phase
- Incident Response Policy
- Incident Response Communications Plans
- Incident Response Tools and Toolkits
- Incident Response Checklist
- Hiding Data
- Steganography
- Disk Image Analysis
- File Carving
- Foremost
- Autopsy
- Evidence Handling Procedures
- Faraday Bags
- Wireshark
SAMPLE SOFTWARE AND TOOLS USED
- WinMD5Free
- MoonSols DumpIt
- Belkasoft Live RAM Capturer
- Volatility Framework
- JPHS
- Wireshark
- VMware
- Network Miner
- AccessData FTK Imager
- Autopsy
- Foremost