top of page

[SFI] System Forensics and Incident Handling

By Paula Januszkiewicz

3 Days

The training was delivered successfully at many conferences worldwide, including Black Hat USA, Black Hat MEA, and Hack in Paris. 

EarlyBird - $2750 (+ GST)

General - $3000 (+ GST)

Late - $3300 (+ GST)

GST is 10% in Australia
Course Abstract:

Forensics and Incident Handling are constantly evolving and crucial topics in the area of cybersecurity. In order to stay on top of the attackers, the knowledge of Individuals and Teams responsible for collecting digital evidences and handling the incidents has to be constantly enhanced and updated.
This is a deep dive course on security operations: vulnerability management, anomalies detection, the discovery of industry attacks and threats, understanding how compromised system or solution looks like, defining the indicators of the attack, incident handling also daily servicing on SIEM platform. We will also walk through the advanced access rights, password mechanisms, windows internals, PowerShell usage for security purposes, gaining unauthorized access, advanced DNS configuration and common configuration mistakes, forensics techniques, Active Directory security, IIS Security, debugging, advanced monitoring and troubleshooting and much more! Topics covered during this training will help you to walk in hackers' shoes and evaluate your infrastructure from their point of view.
This course is based on practical knowledge from tons of successful projects, many years of real-world experience and no mercy for misconfigurations or insecure solutions!
Our training is designed to equip you with practical skills and knowledge to detect, respond to, and resolve computer security incidents. Here are three key takeaways:
- Master the incident handling process: Learn the essential steps involved in incident handling and how to execute them effectively to minimize damage and prevent future attacks.
- Identify vulnerabilities and threats: Discover how to detect malicious applications and network activity, as well as analyze system and network vulnerabilities. By understanding common attack techniques used to compromise hosts, you'll be better equipped to safeguard your organization's digital assets.
- Continuously improve your processes: Gain insights into how to continuously improve your security processes by discovering the root causes of incidents. With this knowledge, you'll be able to proactively prevent future incidents and stay ahead of cyber threats.

Trainer Bio

Paula Januszkiewicz is an experienced cybersecurity expert, CEO, and founder of CQURE Inc. and CQURE Academy. She is an honorable Microsoft Regional Director for CEE, an Enterprise Security MVP, and a top-rated conference speaker at events such as Microsoft Ignite, RSA, Black Hat, and more. Her presentation was voted the best at Black Hat Asia Briefings 2019. In 2017, she graduated from Harvard Business School.
Paula has over 18 years of experience in the field, including performing penetration tests, consulting, and delivering sessions and trainings. She is passionate about sharing her knowledge and has created security awareness programs for various organizations, including top management. Paula is also a member of the Technical Advisory Board at Royal Bank of Scotland, and has been granted access to the source code of Windows.



Course Syllabus

Module 1: Introduction to Incident Handling
1. Types and Examples of Cybersecurity Incidents
2. Signs of an Incident
3. Incident Prioritization
4. Incident Response and Handling Steps
5. Procedures and Preparation
Module 2: Incident Response and Handling Steps
1. How to Identify an Incident
2. Handling Incidents Techniques
3. Incident Response Team Services
4. Defining the Relationship between Incident Response, Incident Handling, and Incident Management
5. Incident Response Best Practices
6. Incident Response Policy
7. Incident Response Plan Checklist
8. Incident Handling Preparation
9. Incident Prevention
10. Following the Containment Strategy to Stop Unauthorized Access
11. Eradication and Recovery
12. Detecting the Inappropriate Usage Incidents
13. Multiple Component Incidents
14. Containment Strategy to Stop Multiple Component Incidents
Module 3: Windows Internals
1. Introduction to Windows Internals
2. Fooling Windows Task Manager
3. Processes and threads
4. PID and TID
5. Information gathering from the running operating system
6. Obtaining Volatile Data
7. A deep dive to Autoruns
8. Effective permissions auditing
9. PowerShell get NTFS permissions
10. Obtaining permissions information with AccessChck
11. Unnecessary and malicious services
12. Detecting unnecessary services with PowerShell

Day 2:
Module 4: Handling Malicious Code Incidents
1. Count of Malware Samples
2. Virus, Worms, Trojans and Spywares
3. Incident Handling Preparation
4. Incident Prevention
5. Detection of Malicious Code
6. Containment Strategy
7. Evidence Gathering and Handling
8. Eradication and Recovery
Module 5: Network Forensics and Monitoring
1. Types and approaches to network monitoring
2. Network evidence acquisition
3. Network protocols and Logs
4. LAB: Detecting Data Thievery
5. LAB: Detecting WebShells
6. Gathering data from network security appliances
7. Detecting intrusion patterns and attack indicators
8. Data correlation
9. Hunting malware in network traffic
10. Encoding and Encryption
11. Denial-of-Service Incidents
12. Distributed Denial-of-Service Attack
13. Detecting DoS Attack
14. Incident Handling Preparation for DoS
15. DoS Response and Preventing Strategies
Module 6: Securing Monitoring Operations and Evidence Gathering
1. Industry Best Practices
2. Objectives of Forensics Analysis
3. Role of Forensics Analysis in Incident Response
4. Forensic Readiness And Business Continuity
5. Types of Computer Forensics
6. Computer Forensic Investigator
7. Computer Forensics Process
8. Collecting Electronic Evidence
9. Challenging Aspects of Digital Evidence
10. Forensics in the Information System Life Cycle
11. Forensic Analysis Guidelines
12. Forensics Analysis Tools
13. Memory acquisition techniques

Day 3:
Module 7: Memory: Dumping and Analysis
1. Introduction to memory dumping and analysis
2. Creating memory dump - Belkasoft RAM Capturer and DumpIt
3. Utilizing Volatility to analyze Windows memory image
4. Analyzing Stuxnet memory dump with Volatility
5. Automatic memory analysis with Volatile
Module 8: Memory: Indicators of compromise
1. Yara rules language
2. Malware detonation
3. Introduction to reverse engineering
Module 9: Disk: Storage Acquisition and Analysis
1. Introduction to storage acquisition and analysis
2. Drive Acquisition
3. Mounting Forensic Disk Images
4. Virtual disk images
5. Signature vs. file carving
6. Introduction to NTFS File System
7. Windows File System Analysis
8. Autopsy with other filesystems
9. External device usage data extraction (USB usage etc.)
10. Reviving the account usage
11. Extracting data relate with the recent use of application, file etc.
12. Recovering data after deleting partitions
13. Extracting delete file and file related information
14. Extracting data from file artifacts like $STANDARD_INFORMATION etc.
15. Password recovery
16. Extracting Windows Indexing Service data
17. Deep-dive into Automatic Destinations
18. Detailed analysis of Windows Prefetch
19. Extracting information about program execution (UserAssist, RecentApps, Shimcache, appcompatcache etc.)
20. Extracting information about browser usage (web browsing history, cache, cookies etc.
21. Communicator apps data extraction
22. Extracting information about network activity
23. Building timelines
Module 10: Reporting – Digital Evidence
This module covers the restrictions and important details about digital evidence gathering. Moreover, a proper structure of digital evidence report will be introduced.

bottom of page