Home > IT-Pro Speaker Training > Cqure Academy > AME2021 post-con: System Forensics and Incident Handling - 3 day Masterclass by Paula Januszkiewicz

Course information

AME2021 post-con: System Forensics and Incident Handling - 3 day Masterclass by Paula Januszkiewicz

LocationDateDaysPrice
Culemborg (NL) or RemoteMonday 15 November 2021 9:00-16:30
(8:00-15:30 GMT / 2:00-9:30 US Central)
3€ 2.399,00Register now

As part of Paula's keynote delivery at AppManagEvent 2021 on November 12, you have the possibility to attend this 3-day deep dive course. 

The training is on Monday November 15 untill Wednesday November 18 and includes a free ticket to AppManagEvent 2021! Sign up now as we have limited seating on this exclusive content.

About the course:
Forensics and Incident Handling are constantly evolving and crucial topics in the
area of cybersecurity. In order to stay on top of the attackers, the knowledge of
Individuals and Teams responsible for collecting digital evidences and handling
the incidents has to be constantly enhanced and updated. This advanced
training provides skills necessary to find, collect and preserve data in a correct manner, analyze it
and get to know as much about the incident as possible. This is an intense hands-on course covering
the general approach to forensics and incident handling, network forensics, important aspects of
Windows internals, memory and storage analysis, detecting indicators of compromise and a proper
way of reporting.

Target Audience:
IT professionals, Forensics and Incident Handling Specialists, Security Consultants, Enterprise
Administrators, Infrastructure Architects, Security Professionals, Systems Engineers, Network
Administrators and other people responsible for implementing network and perimeter security.

Materials:
Author’s unique tools, virtual lab environment, hands-on exercises, presentation slides with notes.

 

Examples of tools, software and examples used during the course:

•Belkasoft RAM
Capturer
Wireshark
Volatility
The Sleuth Kit®
(TSK)
Autopsy
DumpIt
DC3DD
Arsenal Image
Mounter

 

 

Reclaim Me
ReFS Images
SysInternals Toolkit
ShadowCopyView
RegRipper
Rifiuti2
Registry
Explorer/RECmd
FullEventLogView
EVTXtract

 

 

• Loki IOC Scanne
• Yara
LECmd
LinkParser
PECmd
SkypeLogViewer
SQLiteBrowser
NetWork Miner
StuxNet Memory
Dump

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Class Content:

Module 1: Introduction to Incident Handling
1. Types and Examples of Cybersecurity
Incidents
2. Signs of an Incident
3. Incident Prioritization
4. Incident Response and Handling
Steps
5. Procedures and Preparation

Module 2: Incident Response and Handling
Steps
1. How to Identify an Incident
2. Handling Incidents Techniques
3. Incident Response Team Services
4. Defining the Relationship between
Incident Response, Incident Handling,
and Incident Management
5. Incident Response Best Practices
6. Incident Response Policy
7. Incident Response Plan Checklist
8. Incident Handling Preparation
9. Incident Prevention
10. Following the Containment Strategy
to Stop Unauthorized Access
11. Eradication and Recovery
12. Detecting the Inappropriate Usage
Incidents
13. Multiple Component Incidents
14. Containment Strategy to Stop
Multiple Component Incidents

Module 3: Windows Internals
1. Introduction to Windows Internals
2. Fooling Windows Task Manager
3. Processes and threads
4. PID and TID
5. Information gathering from the
running operating system
6. Obtaining Volatile Data
7. A deep dive to Autoruns
8. Effective permissions auditing
9. PowerShell get NTFS permissions
10. Obtaining permissions information
with AccessChck
11. Unnecessary and malicious services
12. Detecting unnecessary services with
PowerShell

Module 4: Handling Malicious Code Incidents
1. Count of Malware Samples
2. Virus, Worms, Trojans and Spywares
3. Incident Handling Preparation
4. Incident Prevention
5. Detection of Malicious Code
6. Containment Strategy
7. Evidence Gathering and Handling
8. Eradication and Recovery

Module 5: Network Forensics and Monitoring
1. Types and approaches to network
monitoring
2. Network evidence acquisition
3. Network protocols and Logs
4. LAB: Detecting Data Thievery
5. LAB: Detecting WebShells
6. Gathering data from network security
appliances
7. Detecting intrusion patterns and
attack indicators
8. Data correlation
9. Hunting malware in network traffic
10. Encoding and Encryption
11. Denial-of-Service Incidents
12. Distributed Denial-of-Service Attack
13. Detecting DoS Attack
14. Incident Handling Preparation for
DoS
15. DoS Response and Preventing Strategies

 

 

Module 6: Securing Monitoring Operations
and Evidence Gathering
1. Industry Best Practices
2. Objectives of Forensics Analysis
3. Role of Forensics Analysis in Incident
Response
4. Forensic Readiness And Business
Continuity
5. Types of Computer Forensics
6. Computer Forensic Investigator
7. Computer Forensics Process
8. Collecting Electronic Evidence
9. Challenging Aspects of Digital
Evidence
10. Forensics in the Information System
Life Cycle
11. Forensic Analysis Guidelines
12. Forensics Analysis Tools
13. Memory acquisition techniques

Module 7: Memory: Dumping and Analysis
1. Introduction to memory dumping and
analysis
2. Creating memory dump - Belkasoft
RAM Capturer and DumpIt
3. Utilizing Volatility to analyze Windows
memory image
4. Analyzing Stuxnet memory dump
with Volatility
5. Automatic memory analysis with
Volatile

Module 8: Memory: Indicators of compromise
1. Yara rules language
2. Malware detonation
3. Introduction to reverse engineering

Module 9: Disk: Storage Acquisition and
Analysis
1. Introduction to storage acquisition
and analysis
2. Drive Acquisition
3. Mounting Forensic Disk Images
4. Virtual disk images
5. Signature vs. file carving
6. Introduction to NTFS File System
7. Windows File System Analysis
8. Autopsy with other filesystems
9. External device usage data extraction
(USB usage etc.)
10. Reviving the account usage
11. Extracting data relate with the recent
use of application, file etc.
12. Recovering data after deleting
partitions
13. Extracting delete file and file related
information
14. Extracting data from file artifacts like
$STANDARD_INFORMATION etc.
15. Password recovery
16. Extracting Windows Indexing Service
data
17. Deep-dive into Automatic
Destinations
18. Detailed analysis of Windows Prefetch
19. Extracting information about program
execution (UserAssist, RecentApps,
Shimcache, appcompatcache etc.)
20. Extracting information about browser
usage (web browsing history, cache,
cookies etc.)
21. Communicator apps data extraction
22. Extracting information about network
activity
23. Building timelines

 

Module 10: Reporting – Digital Evidence
This module covers the restrictions and
important details about digital evidence
gathering. Moreover, a proper structure of
digital evidence report will be introduced

 

 

 

 


 

Facilities and catering:

The training classrooms are equiped with state-of-the-art systems which are fully preconfigured for the concerning training.

During the trainingcourse coffee, tea and softdrinks are available. The lunchbreak includes fresh sandwiches of your own choice. This lunch is included in the trainingscourse price.

About the trainer - Paula Januszkiewicz

Paula Januszkiewicz is the CEO and Founder of CQURE Inc. and CQURE Academy. She is also Cloud and Datacenter Management MVP, honorable Microsoft Regional Director for CEE and a world class cybersecurity expert, consulting Customers all around the world.

In 2017, she graduated from Harvard Business School. Her quality-driven approach, extreme attention to details and conference speaking publicity have brought CQURE, at its early stage, to the never-ending world of hacks, forensics, data theft and other security challenges. Paula established CQURE in 2008 and since then she has continued to build the team’s professional image and cybersecurity skills, currently owning and managing CQURE departments in New York (US), Dubai (UAE) and Zug (Switzerland), additionally to headquarters in Warsaw (Poland). Currently, CQURE Team’s exceptional quality, unique cybersecurity knowledge, great experience as well as excellent skills are in high demand on the enterprise market.

Paula has 15 years of experience in the cybersecurity field, performing penetration tests, architecture consulting, trainings and seminars. She has performed hundreds of security projects, including those for governmental organizations and big enterprises, at the same time being a top speaker and a keynote speaker at many well-known conferences, including Microsoft Ignite (rated No 1 Speaker among 1100 speakers at a conference with 26000 attendees), RSA (in 2017 in San Francisco her session was one of the 5 hottest sessions), Black Hat, TechEd North America, AppManagEvent, TechEd Europe, TechEd Middle East, CyberCrime etc., where she is often rated as No 1 speaker. Her presentations gather thousands of people. In 2019, Paula’s presentation was voted best of Black Hat Asia 2019 Briefings!

She also creates security awareness programs for various organizations, including awareness sessions for top management (telecoms, banks, government etc.). In private, she enjoys working with her research team, converting the results of her findings to authored leading-edge trainings and tools used in practice in projects. She wrote a book about Threat Management Gateway and she’s currently working on the next one. Recently, Paula has become a member of the Technical Advisory Board at Royal Bank of Scotland - helping to keep its security at the highest level possible.

She was granted access to a source code of Windows, an honor that just a few people around the world have!

Paula's presentations at Microsoft events:
https://channel9.msdn.com/Events/Speakers/Paula-Januszkiewicz

Paula Januszkiewicz

 

LocationDateDaysPrice
Culemborg (NL) or RemoteMonday 15 November 2021 9:00-16:30
(8:00-15:30 GMT / 2:00-9:30 US Central)
3€ 2.399,00Register now