KNIFE - Known Network Intrusion Forensic Examinations

32 Hours / 4-Day

This 4-Day intermediate class is designed to provide the student with the skills and techniques to response to a cyber intrusion incident. The students will learn the anatomy of an intrusion, collection of memory and volatile artifacts, and techniques to unravel the mystery of how the network was compromised.

InquireRegister for an upcoming class

Introduction and Tools Used on the Course

  • Introductions by the course instructor and students
  • An overview of the tools that will be utilized in the course for demonstrations and student practical exercises. References may be made to commercial products in addition to tools that are free and in the public domain to be utilized during the course.

Planning Incident Response

    • Incident Response Plan
    • Roles
      Indicators (IOC)
      Notification

    • Phases of Response
    • Identification
      Monitoring / Containment
      Recovery
      Hardening

    • Anatomy of an Attack
    • Common Progression
      Compromise
      Stabilization
      Expansion
      Collection
      Exfiltration

    • Live Response
    • Memory Collection
      Persistence Examination
      Execution Indicators
      Log Analysis

Live Response

  • Response Toolkit and Commands
    Create toolkit
    Sysinternal tools
    Command line tools

  • Basic Memory Structure
  • Pages
    KDBG – Kernel Debugger Data BlockEPROCESS Block
    PEB – Process Environment Block VAD – Virtual Address Descriptor tree

  • Memory Acquisition
  • Live Collection
    Pagefile
    Hiberfil
    Crash Dumps
    Introduction to Volatility

  • Live Response
  • Profiles
    Plugins

  • Volatility – Malicious Processes
  • Pslist
    Psscan
    Pstree
    Pstotal
    Malprocfind
    Procdump
    Dlllist
    Dlldump

  • Volatility – Memory Objects
  • Handles
    Modules
    Moddump

Execution Identification / Log Analysis

  • Windows Artifacts
  • Prefetch
    UserAssist
    Shimcache
    Amcache
    Link Files
    Recents Folder
    SRUM
    Volume Shadow Copies

  • Log File Analysis
  • Lateral Movement
    Login Events
    RDP logs
    Account creation

  • Other Execution Identifiers
  • Task Scheduler
    Services
    PSEXEC

Advanced Memory / Persistence

  • Volatility – Network Artifacts
    Netscan
    malfind
  • Volatility – Command line invocation
  • Cmdscan
    Consoles

  • Volatility – Files
  • Filescan
    Dumpfiles

  • Persistence Examinations
  • Introduction to Wireshark
  • PCAP
    TCP/IP
    Beaconing activity

Prerequisites

This hands-on course is geared towards forensic investigators with 6+ months experience in forensic case work with a basic understanding of Microsoft data structures.

To gain the maximum benefit from this course, you should meet or exceed the following requirements:

  • Read and understand the English language
  • Have attended basic digital forensic training
  • Have previous investigative experience in forensic case work
  • Be familiar with the Microsoft Windows environment and data recovery concepts

Download the Syllabus

Download a printable copy of the course description and key learning points.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?

CONTACT US