Focal Point

Endpoint Live Forensics Training

Endpoint Live Forensics

While there is undoubtedly a need for deep forensic analysis in the investigation of malware and operating system intrusions, an investigator has to know that there has been an intrusion before that activity can begin. Many organizations rely on technology to perform this task, but there is still no substitute for a well-trained analyst, when it comes to identifying and investigating abnormal behavior on a system.

Training at a glance

Level

Intermediate

Duration

5 Days

Experience

3 years: Windows Systems

Average Salary

$152,773

Labs

Yes

Level

Intermediate

Duration

5 Days

Experience

3 years: Windows Systems

Average Salary

$152,773

Labs

Yes

Training Details

By the end of the course, you should be able to meet the following objectives:

  • Identify the core components of the operating system and ascertain their current state using built-in or other trusted tools
  • Analyze a running system and detect abnormal behavior relating to operating system objects such as processes, handles, network connections, etc.
  • Use event log analysis to verify and correlate the artifacts of anomalous behavior, and determine the scope of an intrusion
  • Use PowerShell to interact with the operating system and build scripts to automate repetitive analytic tasks
  • Create and use a system baseline to identify unexpected items such as rogue accounts or configuration changes

Lesson 1: Windows Core Components - OS Overview

  • OS Definition
  • Architecture Overview
  • OS Structure
  • OS Motivation
  • Kernel Mode vs. User Mode
  • Windows Structure
  • Windows Boot Process

 

Lab 

  • OS Familiarization

 

Lesson 2: Windows Core Components - The Registry

  • Registry Overview
  • Signs of File Execution
  • Registry Persistence Mechanisms
  • Baselining the Registry

 

Lab 

  • Navigate Regedit.exe and reg.exe
  • Add and remove keys and values
  • Investigate the registry for
    potentially malicious behavior

 

Lesson 3: Windows Core Components - Processes

  • What is a Process?
  • Process Tree
  • Single vs. Multiple Instances
  • Threads
  • Process Objects
  • Process Tools
  • Normal Windows Processes
  • Suspicious Processes

 

Lab 

  • Examine system information related to networking, sockets, and active connections with TCPView
  • Execute a piece of malware and document the findings

 

Lesson 4: Windows Core Components - Dynamic Linked Libraries (DLLS)

  • Libraries
  • Program Linking
  • What are DLLs?
  • Imports and Exports
  • DLL Search Order
  • Code and DLL Injection
  • Known Windows DLLs

 

Lesson 5: Windows Core Components - Memory Management and Injection

  • Memory Management
  • Page Protections
  • Code and DLL Injection
  • Reflective DLL Injection
  • Hollow Process Injection

 

Lab 

  • Identify process injection using the
    discussed tools

 

Lesson 6: Windows Core Components - Services

  • What is a Service?
  • The Services Registry
  • Common Service Control Programs
  • Analyzing Services

 

Lab

  • Examine and interact with services using multiple tools
  • Differentiate information types and sources

 

Lesson 7:  Windows Core Components - Logs and Timelines

  • Logs Overview
  • Event Logs
  • Scheduled Task Logs
  • Antivirus Logs
  • PowerShell Logs
  • Timelining
  • Anti-analysis

 

Lab

  • Analyze malicious behavior with EventViewer

 

Lesson 8: Powershell

  • What Is PowerShell?
  • Cmdlets and Providers
  • Getting Help
  • Objects, Piping, and Selection
  • I/O and Formatting

 

Lab

  • Discover language features and cmdlets, using the PowerShell help system
  • Use object members to obtain more functionality from cmdlets and sort the output
  • Create variables and use static members

 

Lesson 9: Powershill - Querying the Operating System

  • Processes
  • Services
  • User Accounts
  • Event Logs
  • File System
  • Registry
  • Network Connections

 

Lab

  • Demonstrate the use of PowerShell to access and display Process and Service attributes
  • Query Registry Keys using PowerShell
  • Access and display Registry and File System attributes with PowerShell

 

Lesson 10: Powershell - Scripting with Powershell

  • What Is a Script?
  • Branching
  • Repetition
  • Functions
  • Script I/O
  • Execution Policy

 

Lab

  • Modify a script using PowerShell

 

Lesson 11: Powershell - Baselining with PowerShell

  • What Is Baselining?
  • Baselining Elements
  • Differencing Tools

 

Lab

  • Compose a Baseline Script with PowerShell
  • PowerShell Baseline Scenario

 

Lesson 12: Powershell - Baselining Linux

  • File System
  • File Structure
  • Virtual File System
  • Links
  • Permissions
  • Accounts

 

Lab

  • Summarize the Linux File System permissions and file integrity
  • Demonstrate how Linux determines a user’s shell

 

Lesson 13: Powershell - Privilege Escalation

  • Suid
  • Sudo
  • Wildcard Attacks

 

Lesson 14: Powershell - Linux Internals

  • Processes
  • Scheduled Tasks
  • Networking
  • Services
  • Logs

 

Lab

  • Monitor and interact with services
  • Investigate processes and /proc filesystem
  • Investigate concepts regarding two systems
  • Incident Responders who need to quickly identify a security breach
  • Forensic Investigators needing to analyze the state of a running system
  • Malware Analysts requiring a thorough understanding of operating system intrusions
  • Familiarity with the use of desktop operating systems, including command-line experience in Windows and/or Linux
  • Working knowledge of TCP/IP networking

Upcoming Classes

We Offer More Than Just Focal Point Training

Our successful training results keep our corporate and military clients returning. That’s because we provide everything you need to succeed. This is true for all of our courses.

Strategic Planning & Project Management

From Lean Six Sigma to Project Management Institute Project Management Professional, Agile and SCRUM, we offer the best-in-class strategic planning and project management training available. Work closely with our seasoned multi-decade project managers.

IT & Cybersecurity

ATA is the leading OffSec and Hack the Box US training provider, and a CompTIA and EC-Council award-winning training partner. We offer the best offensive and defensive cyber training to keep your team ahead of the technology skills curve.

Leadership & Management

Let us teach your team the high-level traits and micro-level tools & strategies of effective 21st-century leadership. Empower your team to play to each others’ strengths, inspire others and build a culture that values communication, authenticity, and community.

From Lean Six Sigma to Project Management Institute Project Management Professional, Agile and SCRUM, we offer the best-in-class strategic planning and project management training available. Work closely with our seasoned multi-decade project managers.
ATA is the leading OffSec and Hack the Box US training provider, and a CompTIA and EC-Council award-winning training partner. We offer the best offensive and defensive cyber training to keep your team ahead of the technology skills curve.
Let us teach your team the high-level traits and micro-level tools & strategies of effective 21st-century leadership. Empower your team to play to each others’ strengths, inspire others and build a culture that values communication, authenticity, and community.