KNIFE - Known Network Intrusion Forensic Examinations
32 Hours / 4-DayThis 4-Day intermediate class is designed to provide the student with the skills and techniques to response to a cyber intrusion incident. The students will learn the anatomy of an intrusion, collection of memory and volatile artifacts, and techniques to unravel the mystery of how the network was compromised.

Introduction and Tools Used on the Course
- Introductions by the course instructor and students
- An overview of the tools that will be utilized in the course for demonstrations and student practical exercises. References may be made to commercial products in addition to tools that are free and in the public domain to be utilized during the course.

Planning Incident Response
- Incident Response Plan
- Phases of Response
- Anatomy of an Attack
- Live Response
Roles
Indicators (IOC)
Notification
Identification
Monitoring / Containment
Recovery
Hardening
Common Progression
Compromise
Stabilization
Expansion
Collection
Exfiltration
Memory Collection
Persistence Examination
Execution Indicators
Log Analysis

Live Response
- Response Toolkit and Commands
Create toolkit
Sysinternal tools
Command line tools - Basic Memory Structure
- Memory Acquisition
- Live Response
- Volatility – Malicious Processes
- Volatility – Memory Objects
Pages
KDBG – Kernel Debugger Data BlockEPROCESS Block
PEB – Process Environment Block VAD – Virtual Address Descriptor tree
Live Collection
Pagefile
Hiberfil
Crash Dumps
Introduction to Volatility
Profiles
Plugins
Pslist
Psscan
Pstree
Pstotal
Malprocfind
Procdump
Dlllist
Dlldump
Handles
Modules
Moddump

Execution Identification / Log Analysis
- Windows Artifacts
- Log File Analysis
- Other Execution Identifiers
Prefetch
UserAssist
Shimcache
Amcache
Link Files
Recents Folder
SRUM
Volume Shadow Copies
Lateral Movement
Login Events
RDP logs
Account creation
Task Scheduler
Services
PSEXEC

Advanced Memory / Persistence
- Volatility – Network Artifacts
Netscan
malfind
- Volatility – Command line invocation
- Volatility – Files
- Persistence Examinations
- Introduction to Wireshark
Cmdscan
Consoles
Filescan
Dumpfiles
PCAP
TCP/IP
Beaconing activity
Course Information
- 32hrs of Instruction
- Course Manual
- Practical Files
- Attendance Certificate
Prerequisites
This hands-on course is geared towards forensic investigators with 6+ months experience in forensic case work with a basic understanding of Microsoft data structures.
To gain the maximum benefit from this course, you should meet or exceed the following requirements:
- Read and understand the English language
- Have attended basic digital forensic training
- Have previous investigative experience in forensic case work
- Be familiar with the Microsoft Windows environment and data recovery concepts

Request the Syllabus
Contact Spyder Forensics for more details of the course.

Hosting Courses
If you are interested in hosting this, or any of our courses at your facility, contact us.