ADVANCED FORENSICS COURSE

Transcription

1 ADVANCED FORENSICS COURSE PRACTITIONER COURSE (3 DAYS) «Le cours de base présente les connaissances de bases relatives aux méthodes de recherche et d investigation des incidents, la gestion de l incident génériques et les méthodes de triage. Il traite aussi des infrastructures, des réseaux et de leurs détecteurs, l acquisition des données, des logs et des senseurs. Les investigations spécifiques à l environnement Windows, les premières réactions et les analyses des journaux seront aussi traités, ainsi que les gestions des logiciels malveillants. Chaque domaine de connaissance fera l objet d une présentation des concepts et des connaissances à maîtriser ainsi qu un exercice ou une discussion d un cas type.» «Deze basiscursus geeft de deelnemer inzicht in zowel in het incident management als de onderzoeksmethoden die hiermee gepaard gaan. De verschillende domeinen die aan bod komen zijn de incident response infrastructuur, netwerken en de detectie mechanismen, data acquisition technieken, logs en sensoren. Verder wordt er dieper ingegaan op de Windows omgeving, de first response, de analyse van de de logs en hoe om te gaan met malware. Voor elk kennisgebied van van dit domein zal er een presentatie van de concepten zijn en een oefening of bespreking van een testcase.» TARGET AUDIENCE security team, incident responders AGENDA The Advanced Course shall be developed based on content from the list below. Three days including four sessions of 90 minutes on each day shall be structured as follows: DAY 1 - Introduction: Presentation of the course and of the domains that shall be lectured, plus administrative and practical considerations during the seminar Forensic Basic - Introduction and Overview (theory) 01 - Forensics Basic - Infrastructure (theory) 02 - Forensics Basic - Sensors and Detectors (theory) 03 - Forensics Basic - Network Sensors (theory) DAY 2 lectured during the day, plus administrative and practical considerations Forensics Basic - Windows Hosts and Service Sensors (theory)

2 05 - Forensics Basic Triage (theory + exercise(s)) 06 - Forensics Basic - First Response on Windows Endpoint (theory + demo(s)) 07 - Forensics Basic - Data Acquisition (theory + demo(s)) DAY 3 lectured during the day, plus administrative and practical considerations Forensics Basic - Log Analysis (theory) 09 - Forensics Basic - Introduction to forensics analysis on Windows systems (theory + demo(s)) 10 - Forensics Basic - Handling Malware (theory + demo(s)) - Conclusion of the seminar: summary of what has been discussed during the seminar (3 days). - Examination (30 ): Multiple choice questions related to the domains of knowledge that have been presented. This shall be followed by a request that participants fill the appreciation and feedback form Coffee break sessions and lunch separate each 90 session on each day. Each domain of knowledge shall include references and links that will help participants to progress their knowledge during and after the training takes place. ADVANCED COURSE (3 DAYS) The Advanced Course shall be developed based on content from the list below. Three days including four sessions of 90 minutes on each day shall be structured as follows: DAY 1 - Introduction: Presentation of the course and of the domains that shall be lectured, plus administrative and practical considerations during the seminar Forensic Basic - Introduction and Overview (theory) 01 - Forensics Basic - Infrastructure (theory) 02 - Forensics Basic - Sensors and Detectors (theory) 03 - Forensics Basic - Network Sensors (theory) DAY 2 lectured during the day, plus administrative and practical considerations Forensics Basic - Windows Hosts and Service Sensors (theory) 05 - Forensics Basic Triage (theory + exercise(s)) 06 - Forensics Basic - First Response on Windows Endpoint (theory + demo(s)) 07 - Forensics Basic - Data Acquisition (theory + demo(s)) DAY 3

3 lectured during the day, plus administrative and practical considerations Forensics Basic - Log Analysis (theory) 09 - Forensics Basic - Introduction to forensics analysis on Windows systems (theory + demo(s)) 10 - Forensics Basic - Handling Malware (theory + demo(s)) - Conclusion of the seminar: summary of what has been discussed during the seminar (3 days). - Examination (30 ): Multiple choice questions related to the domains of knowledge that have been presented. This shall be followed by a request that participants fill the appreciation and feedback form Coffee break sessions and lunch separate each 90 session on each day. Each domain of knowledge shall include references and links that will help participants to progress their knowledge during and after the training takes place. BODY OF KNOWLEDGE: 0 - FORENSIC BASIC - INTRODUCTION AND OVERVIEW (THEORY) 1.About the Technical aspects handled during this course 1.1 Appropriately handling logs 1.2 Appropriately handling and preserving forensic traces for future investigations and as potential evidence 2 About the Pragmatic Good Practices handled during this course 2.1 When & why to choose for Forensic Evidence Preservation instead of Service Availability 2.2 Incident Management Handling Process Detection of Events And Incidents Limiting Impact Determining Patient Zero Collecting and Storing Appropriately Forensic Evidence Respecting the Proper Chain of Custody Escalation and Reporting 01 - FORENSICS BASIC - INFRASTRUCTURE (THEORY) 1. Infrastructure 2. Privacy 3. Sharing Work 3.1 Git Server 3.2 GPG 4. Virtualized Environments and Containerized Environments 4.1 Virtualbox 4.2 Vagrant 4.3 Docker 5. Setting Up Tools 5.1 Ticketing System 5.2 Passwords

4 5.3 Forensic Storage Systems 5.4 CMDB 5.5 OSQuery Server 5.6 GRR Server 5.7 CRM Database 6. Communication 6.1 Regular Communication 6.2 Out-of-band Communication 02 - FORENSICS BASIC - SENSORS AND DETECTORS (THEORY) 1. Sensors And Detectors 2. Vantage and Domain 3. Vantages: Sensor Placement 4. Domain: Determining Data That Can Be Collected 5. Actions: What a Sensor Does with Data 03 - FORENSICS BASIC - NETWORK SENSORS (THEORY) 1. Network Sensors 2. Network Layers and Vantage 3. Network Layers and Addressing 4. Packet Data 5. NetFlow 04 - FORENSICS BASIC - WINDOWS HOSTS AND SERVICE SENSORS (THEORY) 1. Log Files 1.1 Application and System Logs 1.2 Powershell Log 1.3 Security Log 2. Command Line Logs 3. DNS Logs 4. DHCP Logs 5. Additional log information by using sysinternals sysmon 6. Log File Transport 7. What Events to Capture 7.1 Configuring Windows System Audit Policies 7.2 Windows EventIDs of Interest 8. EMET 9. WMIC 10. Canaries and Honeypots 05 - FORENSICS BASIC TRIAGE (THEORY + EXERCISE(S)) 1. Origins of Triage 2. Traffic Light Protocol 3. Escalation Path 3.1 When to escalate 3.2 Communication 4. Information Security Triage on Windows Systems 4.1 Prioritization 4.2 User Context 4.3 Incident Taxonomy

5 4.3.1 Events Incident Types 5. Playbooks 5.1 Case study: Ransomware 06 - FORENSICS BASIC - FIRST RESPONSE ON WINDOWS ENDPOINT (THEORY + DEMO(S)) 1. File naming convention 2. Hash Calculation 3. The basic questions 4. OSQuery 5. Log Analysis 6. Hash Database of Known Good 7. Hash Database of Known Bad 8. Volatile Data 9. Network 9.1 Obtaining ARP Tables 9.2 Obtaining a system s MAC Address 9.3 Shares 9.4 Sessions 9.5 NetBIOS over TCP/IP 9.6 Ports 9.7 Firewall Configuration 9.8 DNS Cache 9.9 Wireless 10. Processes 10.1 Child Process 10.2 DLL 10.3 Mutexes 10.4 Processes of Interest 11. Services 12. USB 13. IOC and First Response 14. YARA and First Response 07 - FORENSICS BASIC - DATA ACQUISITION (THEORY + DEMO(S)) 1. Chain of Custody 2. Tool Register 3. Hashing Evidence 4. Network Capture 5. Memory Capture 6. Disk Imaging 7. Cloud 8. Virtual Environments 9. Databases 08 - FORENSICS BASIC - LOG ANALYSIS (THEORY) 1. Log Policy 2. Log Quality 3. Log Integrity

6 4. Information Requirements 5. Events To Monitor For 5.1 Security Events 5.2 Non-Security Events 6. Mathematical Sets 7. ETL: Extract Transform Load 8. Data Transformations 8.1 IP Addresses 8.2 AAAA Records 8.3 Timestamps 8.4 Fields and Delimiters 9. SIEM 9.1 Log-MD 9.2 Kibana 09 - FORENSICS BASIC - INTRODUCTION TO FORENSICS ANALYSIS ON WINDOWS SYSTEMS (THEORY + DEMO(S)) 1. Forensic Disciplines 1.1 Network Forensics 1.2 System Forensics Windows & Computer Forensics Windows & Mobile Forensics Windows & SCADA Forensics 1.3 Windows & Database Forensics 2. Introduction to basic memory forensics with Volatily 3. Introduction to using a disk image 4. Introduction to Windows Artefacts 10 - FORENSICS BASIC - HANDLING MALWARE (THEORY + DEMO(S)) 1. Information Sharing Platforms 1.1 MISP 1.2 Threat Sharing Platforms 1.3 Alienvault OTX 1.4 IBM X-force 1.5 ThreatConnect 2. Archiving Malware in the Malware Zoo 3. Dynamic Analysis of Malware 3.1 In-house Solutions 3.2 External Solutions 2017 The information contained in this draft document belong to ICTC.EU, Dirk De Nijs and Erik Vanderhasselt. The final document shall contain information to be used by the Belgian Cybersecurity Centre for their training project in cooperation with ICTC.EU. For any information related to this document, please contact the authors at