Course Description
This course provides a comprehensive overview of incident response & computer forensics. Topics include everything from establishing policies and procedures to collecting data from live Windows and Unix machines. Several hands-on exercises utilizing the HELIX Forensics CD will be incorporated into the course to allow you to perform live forensic analysis on the operating system. Tools Include: Windows Forensics Toolchest (WFT), Incident Response Collection Report (IRCR2), First Responder’s Evidence Disk (FRED), First Responder Utility (FRU), Md5 Generator, File Recovery, Rootkit Revealer and many others.
Course Outline
· Introduction to Incident Response and Forensics o
o Real-World Incidents o
o Case Studies
o Attack Lifecycle Phases
· Incident Response Process
o Incident Response Policy
o What is an Incident?
o Incident Response Goals
o NIST Incident Response Process
· Preparing for an Incident
o Pre-Incident Activities
· Data Collection
o Live Data Collection
· Evidence Handling o Evidence
o Chan of Custody
o Evidence Integrity
· Network Evidence
o Network-based Evidence
o Goals of Network Monitoring
o Types of Network Monitoring o Wireshark and OtherTools
· Memory Evidence
o Memory Forensics
o Memory Acquisition
o Redline
o Memory Analysis to Find Evil
§ Zeus
§ Stuxnet
§ Storm Worm Rootkit
§ TDSS Rootkit
· Remediation o Remediation Workflow
o Remediation Owner
o Remediation Actions
· Putting it All Together
Prerequisites
SEC100 Information Security Essentials or equivalent experience
Duration
12 Hours | 2 Days or 4 Nights
Applies Towards the Following Certificates
- Cyber Security Certificate : 60 Hour Certificate
- Cyber Security Certificate - 90 Hour : Required
*Academic Unit eligibility to be determined by college/university in which you are enrolled in a degree seeking program.